Dropbox has shared the outcomes of an investigation right into a hack of its infrastructure. The corporate doesn’t specify when the incident really occurred, stating solely that the assault was seen by firm workers on April 24. Right here, we clarify what occurred, what information was leaked, and the right way to defend your self and your organization from the results of the incident.
Dropbox Signal hack: the way it occurred and what information was stolen
Unidentified attackers have managed to compromise the Dropbox Signal service account, and thus acquire entry to the platform’s inside automated configuration mechanism. Utilizing this entry, hackers have been capable of lay their arms on a database that accommodates details about Dropbox Signal customers.
Because of this, the next information of registered customers of the Signal service was stolen:
- usernames;
- e mail addresses;
- cellphone numbers;
- passwords (hashed);
- authentication keys for the DropBox Signal API;
- OAuth authentication tokens;
- SMS and utility two-factor authentication tokens.
If customers of the service have interacted with it with out creating an account, solely their names and e mail addresses have been leaked.
Dropbox claims that it discovered no indicators of unauthorized entry to the contents of consumer accounts, that’s – paperwork and agreements, in addition to fee data.
As a protecting measure, Dropbox reset the passwords for all Dropbox Signal accounts and ended all lively periods, so that you’ll must log in to the service once more and set a brand new password.
Does the Dropbox Signal hack have an effect on all Dropbox customers?
Dropbox Signal, previously often called HelloSign, is Dropbox’s standalone cloud doc workflow device, used primarily for signing digital paperwork. The closest analogues of this service are DocuSign and Adobe Signal.
As the corporate emphasizes in its assertion, Dropbox Signal’s infrastructure is “largely separate from different Dropbox companies”. Judging by the outcomes of the corporate’s investigation, the Dropbox Signal hack was an remoted incident and didn’t have an effect on different Dropbox merchandise. Thus, in response to the data we’ve got now, it doesn’t in any means threaten customers of the corporate’s most important service, Dropbox cloud file storage itself. That is additionally true for these customers whose Signal account was linked to their most important Dropbox account.
What do you have to do about Dropbox Signal being hacked?
Dropbox has already reset passwords for all Dropbox Signal accounts. So you’ll have to change the password in any case. We advocate utilizing a very new password quite than a barely modified model of the previous one. Ideally, you must generate an extended random mixture of characters utilizing password supervisor and retailer it there.
Since two-factor authentication tokens have been additionally stolen, you must reset them as nicely. In the event you used SMS, the reset occurred robotically. And for those who used an utility, you’ll have to do it your self. To take action, undergo the method of registering your authenticator app with the Dropbox Signal service once more.
The listing of knowledge stolen by hackers additionally contains authentication keys for the Dropbox Signal API. So if your organization used this device by the API, you’ll want to generate a brand new key.
Lastly, for those who’ve used the identical password in another companies, you must change it as  rapidly as doable – particularly if it was accompanied by the identical username, e mail deal with, or cellphone quantity that you simply specified whereas registering for Dropbox Signal. Once more, for this it’s handy to make use of our Password Supervisor, which, by the way in which, is a part of our safety resolution for small companies.
