Dropbox Breach: Unauthorised Access Compromises User Data Immediate Action Taken, Security Measures Strengthened
Updated: May 6, 2024
Dropbox confirms unauthorised access to customer information, including passwords and 2FA data. The breach specifically targeted the Dropbox Sign platform, with no impact on other Dropbox platforms or products. Users are advised to reset their passwords and log out of connected devices.
The breach specifically targeted the Dropbox Sign platform, but the company assures users that no other Dropbox platforms or products were affected.
The incident came to light on April 24 when Dropbox discovered the unauthorised access to its production environment. In a statement, the company acknowledged that customer information had been compromised but emphasised that they are taking immediate action to protect users' data. Dropbox is currently reaching out to all affected users, providing step-by-step instructions on how to further secure their accounts.
According to the ongoing investigation, the hacker gained access to an automated system configuration tool used by Dropbox Sign. They then compromised a service account with elevated privileges, allowing them to access both the production environment and the customer database. As a precautionary measure, Dropbox has reset users' passwords and logged them out of any devices connected to Dropbox Sign. Users will receive an email prompting them to reset their passwords the next time they log in.
Despite the breach, Dropbox has stated that there is no evidence to suggest that the attackers accessed any documents, agreements, or other content stored in users' accounts. However, individuals who received or signed a document using the Dropbox Sign service may have had their email addresses and names exposed. Dropbox is actively reaching out to these impacted users and expects to complete all notifications within a week.
In addition to addressing the breach, Dropbox has issued a warning to its API customers. They are advised to rotate their API keys, generating new ones and deleting the existing keys. While functionality may be temporarily restricted during this process, signature requests and signing capabilities will remain operational. Once the API keys are rotated, all restrictions will be lifted, and the product will continue to function as normal.
Dropbox confirms unauthorised access to customer information, including passwords and 2FA data.
The breach specifically targeted the Dropbox Sign platform, with no impact on other Dropbox platforms or products.
Users are advised to reset their passwords and log out of connected devices.
Source: FORBES