A security breach in the Dropbox Sign production system led to the unauthorized access and theft of customer information, such as tokens, password hashes, email addresses, and names, as disclosed by Dropbox. Formerly known as HelloSign, Dropbox Sign provides services for electronically signing documents.
On April 24, Dropbox detected that an intruder had infiltrated the production system of Dropbox Sign and extracted customer information. “We are confident this breach was confined to the Dropbox Sign infrastructure and did not affect other Dropbox services,” the firm said. Dropbox clarified that the infrastructures of Dropbox and Dropbox Sign are primarily distinct. The compromised data includes customer email addresses, usernames, phone numbers, password hashes, credentials like API keys, OAuth tokens, and multi-factor authentication methods.
Dropbox traced the breach to unauthorized access to a Dropbox Sign automated system configuration tool. A backend service account of Dropbox Sign, used for operating automated systems, was hijacked. This account had sufficient privileges to execute specific tasks within the Dropbox Sign production area, thus facilitating the intruder’s access to the production environment and the customer database.
In response to the breach, Dropbox has reset the passwords for all Dropbox Sign accounts, signed out users from all devices linked to Dropbox Sign, and is currently resetting all API keys and OAuth tokens.
The incident has been reported to regulatory bodies and other relevant authorities. Users employing an authentication application for multi-factor authentication have been advised to reset their Sign access and set it up anew.
The attacker’s exact method of penetration has not been disclosed, but Dropbox added that they are conducting an exhaustive investigation: “We’re also conducting an extensive review of this incident to better understand how this happened and to protect against this kind of threat in the future.”
How are the passwords hashed?
Dropbox itself fell victim to a security breach in 2012. The data from that breach was then published online in 2016—over 68M accounts were affected. At the time, The Guardian (as well as Troy Hunt) published a story about it.
In that story, Dropbox responded to The Guardian, saying that their passwords were being upgraded from SHA-1 encryption to bcrypt, the latter being well-known as the industry standard. Dropbox also published a separate blog post at the time, titled “How Dropbox securely stores your passwords“.
The article explains that the process that Dropbox uses for hashing and salting passwords is as follows:
- Initial Hashing with SHA512: Each password is first hashed using SHA512, utilizing a unique salt for each account.
- Second Hashing with bcrypt: The SHA512-hashed password is then re-hashed using bcrypt. This hashing utilizes bcrypt’s default strength setting.
- Encryption with Application Server Key: Finally, the bcrypt-hashed password is encrypted using a key that is managed by the application server and not stored in the database.
In other words, this is an extremely secure approach. However, because Dropbox Sign was an acquisition (Dropbox to Acquire HelloSign), it is unclear if the same password security approach was applied to Sign.
Stack Diary has asked the Dropbox team about this, and this article will be updated once we have an answer.
