Dropbox recently announced that hackers breached their system, compromising customer data. The breach is believed to have occurred in 2012, but Dropbox only recently discovered the issue.
The hackers gained access to Dropbox's system through a third-party service, which has not been named. This is a good reminder to be cautious when using third-party services, as they can sometimes be vulnerable to attacks.
Dropbox has notified affected customers and is offering two years of free identity theft protection.
Dropbox Breach Incident
Dropbox is embarking on an "extensive review" to understand the breach that exposed sensitive information.
The breach occurred through Dropbox Sign, a product Dropbox acquired, suggesting that a security gap either existed at the time of purchase or developed over time as the company changed and rebranded it.
A threat actor can use compromised API keys and OAuth tokens to access a Dropbox account without a username, password, and even multi-factor authentication (MFA).
Patrick Wragg, Integrity360 incident response head, warned that API keys and OAuth tokens are worse than passwords because they allow programmable and scriptable access to the owner's Dropbox instance.
The accessed passwords were hashed, but the compromised API keys and authentication data still pose a significant concern.
Dropbox users should take immediate action and change their passwords, as well as enable multi-factor authentication (MFA) to protect themselves.
Adversaries having access to sensitive documents and a signature service offers tremendous scope for abuse, identity theft, fraud, and business email compromise.
Here are some steps to take in response to the breach:
- Change your Dropbox password immediately.
- Enable multi-factor authentication (MFA) to add an extra layer of security.
- Monitor your account activity closely for any suspicious activity.
Data Breach Management
Dropbox's security team reset users' passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens for the service.
The company is also restricting certain functionality of API keys while they are rotated, so only signature requests and signing capabilities will be operational until the API key is rotated.
Dropbox Sign users should reset their passwords the next time they log into the service, and API customers will need to rotate their API keys by generating a new one and configuring it with their individual application.
To protect their accounts, API customers should delete the current API key after rotating to a new one.
For customers who use an authenticator app along with Dropbox Sign for MFA, they should reset it by first deleting their existing entry and only then proceed with the reset.
Dropbox recommends that if someone reused their Dropbox Sign password on any other services, that password should be changed and MFA should be used whenever available.
Dropbox will continue an "extensive review" of the incident to understand exactly what happened and to protect its customers against similar threats in the future.
Mitigation Steps:
- Reset password
- Log out of devices
- Rotate API keys and OAuth tokens
- Restrict API key functionality
- Delete current API key after rotating
- Reset authenticator app for MFA
- Change reused password and enable MFA
Mitigation and Response
Dropbox's security team quickly got to work to mitigate the effects of the breach. They reset users' passwords, logged users out of any devices connected to Dropbox Sign, and are coordinating the rotation of all API keys and OAuth tokens.
Users will be asked to reset their passwords the next time they log in, and API customers will need to rotate their API keys by generating a new one. Instructions for doing this are online, and it's essential to delete the current API key to protect accounts.
Only signature requests and signing capabilities will be operational until the API key is rotated, when the restrictions will be removed and the product will function as normal. This is a precautionary measure to prevent further unauthorized access.
If you use an authenticator app with Dropbox Sign for MFA, you should reset it by deleting your existing entry and then proceeding with the reset. Those who use SMS for MFA don't need to take action.
Dropbox recommends changing your password if you reused it on any other services, and using MFA whenever available. This will help protect your account from similar threats in the future.
Recent Data Breaches
Recent data breaches have been making headlines. Qantas, the Australian flag carrier, apologized after a glitch in its mobile application temporarily allowed customers to view other frequent fliers' flights and booking details.
A ransomware attack against Change Healthcare was exposed in the US congressional hearing, with UnitedHealth Group CEO Andrew Witty shedding more light on the incident.
The ICO has urged charities and healthcare organizations to improve their data protection after the HIV status of over 100 people was exposed in a breach.
Dropbox is now conducting an extensive review to understand the breach and how to prevent similar incidents in the future.
API keys and OAuth tokens can be used by threat actors to access Dropbox accounts without a username, password, or even MFA.
Here are some recent data breaches that have raised concerns about data protection:
- Australian flag carrier Qantas experienced a glitch in its mobile application, allowing customers to view other frequent fliers' flights and booking details.
- UnitedHealth Group CEO Andrew Witty discussed the ransomware attack against Change Healthcare in a US congressional hearing.
- The ICO urged charities and healthcare organizations to improve their data protection after the HIV status of over 100 people was exposed in a breach.
- Dropbox experienced a breach through acquisition, where the acquired company, HelloSign, had vulnerabilities or limited security capabilities.
Frequently Asked Questions
What does it mean if your info has been breached?
Your information has been compromised in a data breach, meaning someone has stolen confidential data from a company or organization where you have an account. Take immediate action to secure your accounts and protect against potential fraud.
Sources
- https://www.securitysystemsnews.com/article/file-hosting-service-dropbox-breached-by-cyberattack
- https://therecord.media/dropbox-data-breach-notification
- https://www.bankinfosecurity.com/dropbox-sees-breach-legally-binding-e-signature-service-a-24997
- https://www.computerweekly.com/news/366583082/Dropbox-Sign-user-information-accessed-in-data-breach
- https://www.darkreading.com/application-security/dropbox-breach-exposes-customer-credentials-authentication-data
Featured Images: pexels.com