Comment: Dropbox Sign hacked
May 2024 by Andy Kays, CEO Socura
Dropbox has confirmed that it was a victim of a data breach, doing so via an SEC filing https://therecord.media/dropbox-data-breach-notification
The comments in response from Andy Kays, CEO of Socura, who says the attack offers “tremendous scope for abuse, identity theft, fraud, and business email compromise".
“This looks like a classic case of breach through acquisition. When a large company buys a smaller one, it can throw up major security risks. The most common scenarios are that the acquired company has vulnerabilities, limited security capabilities, or there are compatibility issues as products, technologies, services and teams are integrated. The fact that only the Dropbox Sign product was breached, not the wider business, suggests that a security gap either existed with the Hellosign product at the time of purchase, or developed over time as the company changed and rebranded it.
“Adversaries having access to sensitive documents and a signature service offers tremendous scope for abuse, identity theft, fraud, and business email compromise. Dropbox users must act as though an attacker has their signature and the ability to sign legal documents in their name. They should change their passwords and enable MFA immediately.