Features 11.06.2024
Dropbox Hack: 5 Lessons from the Dropbox Sign Breach
This incident shows breaches can inadvertently compromise the data of individuals who may not have had a Dropbox account
Features 11.06.2024
This incident shows breaches can inadvertently compromise the data of individuals who may not have had a Dropbox account
At the start of May 2024, Dropbox announced that hackers had accessed passwords and 2FA data at Dropbox Sign, formerly known as HelloSign, before it was acquired by Dropbox in 2019.
The attack on Dropbox’s e-signature tool had a ripple effect. Document recipients via the service were also impacted, with names and email addresses exposed, even if they did not have a Dropbox Sign account.
With over 700 million registered users across 180 countries, Dropbox is one of the world’s biggest file-sharing platforms. And it’s not the first time the firm has been hacked.
“This incident shows breaches can inadvertently compromise the data of individuals who may not have had a Dropbox account”
In 2016, Dropbox revealed a major 2012 breach that exposed 68 million account passwords. In November 2022, the company admitted attackers had gained access to customer and employee source code and personal information.
The firm became aware of the 2022 breach after a staffer’s credentials were stolen during a phishing attack. The credentials were used to access a GitHub account and steal 130 code repositories.
Experts say the latest Dropbox incident highlights multiple security issues that other firms can avoid. So, without further ado, here’s what can be learned.
According to Dropbox’s post-breach statement, the incident only affected the Dropbox Sign infrastructure. Dropbox Sign exists because Dropbox bought HelloSign five years ago, highlighting the importance of security following an acquisition, says Sergei Serdyuk, VP of product management at NAKIVO.
Mergers and acquisitions involve sensitive integration and data-sharing phases, often creating “wide security openings”, he says. “It is possible that HelloSign already had a poor security posture with vulnerabilities and weak security measures that carried over through the acquisition. Perhaps the vulnerabilities began to build up starting from the point of the acquisition due to integration issues.”
The breach highlights the importance of robust security, especially in the face of multiple acquisitions, says Pieter Arntz, malware intelligence researcher at Malwarebytes. “It’s essential to conduct thorough security assessments of all tools and services – especially after a merger or acquisition – ensuring that critical components remain protected from external threats.”
The hacker behind the Dropbox Sign breach accessed customer-related information, including emails, user names, phone numbers and hashed passwords. However, the breach also affected others who had previously received or signed documents through Dropbox Sign, even if they had never created an account.
“In other words, this incident shows breaches can inadvertently compromise the data of individuals who may not have any direct relationship with the affected platform,” warns Serdyuk.
“Undoubtedly, the attackers would have performed in-depth reconnaissance against their target” Jeremy Griffin
Taking this into account, he says, companies must consider “downstream effects” in their data protection and cybersecurity strategies. “This will help minimise collateral damage to third parties and customers.”
However, at the same time, Dropbox was fortunate the attack was isolated and only one service was affected, which would have significantly reduced the number of impacted customers, says Jeremy Griffin, senior security consultant at Prism Infosec. This indicates that it had some security measures to prevent criminals from affecting Dropbox products further.
“Undoubtedly, the attackers would have performed in-depth reconnaissance against their target, and it’s safe to assume if they could have affected the other services networks, they would have done,” Griffin says.
He says it highlights the importance of correctly segregating network access to reduce the potential impact an attacker could achieve.
Despite the positives, numerous security failings could have led to the Dropbox breach, showing how important it is to make cybersecurity a priority. Arntz suggests that the configuration tool that apparently led to the violation was likely not developed with this ethos in mind.
The attacker compromised a back-end service account, but it’s hard to tell how the credentials were leaked, says Arntz. “Perhaps in another breach, or maybe they were sold by a disgruntled former employee.”
The breach shows Dropbox needed more robust cybersecurity measures to prevent unauthorised access, says Obaidullah Ahmend, cybersecurity consultant at Toro. He suggests firms of all sizes consider strengthening network security, ensuring they are regularly updated via software patches and conducting thorough risk assessments.
At the same time, part of boosting overall security is about educating employees on best practices, says Ahmend. “Train staff members to recognise common threats such as phishing scams and malware attacks and encourage adherence to security protocols to mitigate risks.”
In general, experts say Dropbox communicated transparently with its users. The firm provided regular updates on the situation and offered guidance on security measures to mitigate potential risks, says Ahmend.
The Dropbox security team quickly ascertained that the breach only affected the Dropbox Sign infrastructure, so the firm was able to allay the fears of the majority of its user base, says Griffin. It also took action to reset user passwords, log users out of devices connected to the service, and rotate all API keys and OAuth tokens.
“Too many companies assume they’ve fulfilled their responsibilities via the initial disclosure”
Following the initial investigation, Dropbox says it is conducting an “extensive review” of how the breach occurred. This review is said to be ongoing, with additional updates to be issued as and when the company has them, says Griffin.
Keeping the communication channel open with its customers in this way is “a great example” of how to do post-incident response effectively in a way that keeps users onboard – provided the firm follows through, he says. “Too many companies assume they’ve fulfilled their responsibilities via the initial disclosure.”
Other companies can learn from this: It’s important to maintain transparency and communication even after the first announcement. “In the event of a data breach, communicate openly with affected parties, providing regular updates and guidance on security measures to mitigate risks and rebuild trust,” says Ahmend.
Experts think Dropbox was quick to implement the correct security protocols following the attack. Dropbox’s security teams took “numerous actions” to mitigate any further risk, says Jack Peters, customer solutions architect at cloud and connectivity provider M24.
Dropbox also took steps to establish what had happened and why. The investigation was completed by a third-party specialising in forensic investigation, which helped Dropbox to understand what happened, why and what it needed to do next, says Alex Martin, incident response and threat hunting analyst at NormCyber.
“With the support of the third-party forensic investigators, Dropbox could determine what was accessed, which allowed it to establish which recovery actions could be taken. This included reporting the breach to regulators and affected customers.”
Responding quickly makes all the difference, which comes down to the organisation’s ability to identify and rectify an attack, says Griffin. “The longer an attacker has access to a network, the more time they have to learn and identify weaknesses in system defences.”
If there’s anything positive to be taken from the Dropbox breach, it has provided plenty of lessons for other businesses to learn from. Acquisitions can open security gaps, so make yourself aware of these and fix them to prevent attackers from gaining access in the first place.
If you are breached, the ability to respond is critical. Communication should be clear and transparent to limit the damage to your reputation and help avoid regulatory fines.