Cloud Security, Application security, API security

Attackers steal API keys, OAuth tokens, in Dropbox Sign breach

Dropbox mobile icon app on screen smartphone iPhone. Dropbox is file hosting company Dropbox Inc.

The popular cloud service Dropbox reported on April 29 that threat actors had gained access and breached data related to all users of Dropbox Sign, formerly known as Hello Sign.  

In a filing with the Securities and Exchange Commission, Dropbox said for subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information, such as API keys, OAuth tokens, and multi-factor authentication.

“Based on what we know as of the date of this filing, there is no evidence that the threat actor accessed the contents of users’ accounts, such as their agreements or templates, or their payment information,” the SEC filing said.

Security pros saw this as a major blow to Dropbox and e-signatures in general because it’s been three decades since the rise of the web in the 1990s and people were just starting to get used to doing business with e-signatures. From sales contracts to offer letters, vendor agreements, and real estate transactions, businesses use Dropbox Sign to send PDFs, Microsoft Word documents, and Google Docs to conduct business electronically.

“This breach is especially significant since API keys and OAuth tokens were compromised,” said Ray Kelly, a fellow at the Synopsys Software Integrity Group. “API keys are often static and do not change so that organizations can automate their processes around their services. When these keys are compromised, a malicious actor can gain access to services that can be sensitive or cause monetary consequences for the victim.” 

Dropbox's security breach represents an alarming domino effect that extends far beyond the company itself, said Nathaniel Jones, director of strategic threat and engagement at Darktrace. Jones said the implications could extend further into corporate ecosystems, pointing out that employees reuse passwords all the time for the many apps and tools they log into, so the compromised details may have opened entry points across other cloud services.

“Another implication could be if this data was then used to launch attacks using compromised accounts as sock puppets: exploiting the inherent trust employees place in communications from a legitimate corporate service,” said Jones. “While email has long been the vector of choice for carrying out phishing attacks, threat actors and their tactics are continually adapting and evolving to keep pace with the emergence of new technologies that represent new avenues to exploit. We’ve seen a rise in the abuse of commonly used services and platforms, including Microsoft Teams and Dropbox used for phishing campaigns in recent months.”

Tom Siu, chief information security officer at  Inversion6, added that the potential implications of this data breach are that both parties of a document signature process could be targeted by fraud campaigns. Siu said the risky part is that a person who signed a document through the service, but did not have an account themselves, may not realize there has been a breach with Dropbox Sign unless the firm contacts them via email to the disclosed account.

Siu also pointed out that this incident — which came to light on May 1, a day before World Password Day — involved another breach stemming from a compromised service account. It’s just one of several non-consumer issues related to password and account access management that pose challenges to cybersecurity and IT teams working together to secure their environments, said Siu.

“One of the important takeaways here is that Dropbox Sign was a product acquisition by Dropbox of Hello Sign in 2019, and security assessments both pre- and post-acquisition/mergers have become part of the basic framework of IT business,” explained Siu. “Even five years later, security issues can arise in varying product lines. Kudos to Dropbox for being transparent and forthcoming with the disclosure on its May 1 blog.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.