The Dropbox data breach is a classic case of “breach by acquisition”, security experts have told ITPro, whereby an organization onboards a new service or product and falls victim to unknown vulnerabilities.
Dropbox disclosed a data breach affecting its e-signature service, Dropbox Sign, on 1 May. The company revealed customer data was accessed by unauthorized threat actors during the incident, and that the attacker(s) gained access to a Dropbox Sign production environment on 24 April.
Dropbox acquired the e-signature service HelloSign in 2019, and rebranded the service to Dropbox Sign in 2022.
Andy Kays, CEO of IT security service Socura, said the data breach underscores an underappreciated security consideration affecting large businesses trying to integrate new acquisitions into their portfolio.
This, he suggested, looks like a familiar case where a company inherits security vulnerabilities from another entity as they begin to merge.
“This looks like a classic case of breach through acquisition. When a large company buys a smaller one, it can throw up major security risks,” he said.
“The most common scenarios are that the acquired company has vulnerabilities, limited security capabilities, or there are compatibility issues as products, technologies, services and teams are integrated”.
Dropbox data breach: What happened?
An investigation by Dropbox found the hackers had gained access to a Dropbox Sign automated system configuration tool and compromised a service account in Sign’s back-end used to execute applications and run automated services.
This gave the attacker the privileges it needed to continue its infection chain within the production environment, namely to access Dropbox Sign’s customer database.
The company’s SEC filing stated the threat actor was able to access data related to all users of Dropbox Sign, such as emails, usernames, and general account settings.
Dropbox added that the hackers were able to access further sensitive information of a subset of Sign users, which included phone numbers, hashed passwords, and certain authentication information including API keys, OAuth tokens, and multi-factor authentication.
Non-Dropbox Sign customers who received or signed a document through the service, but never created an account, also had their email addresses and names exposed, according to the filing.
Dropbox noted that there was no evidence the attack compromised the contents of user accounts, including their agreements or templates, or their payment information.
The company’s filing stated the incident was isolated to Dropbox Sign infrastructure and did not impact any other Dropbox products.
The announcement added that Dropbox’s security team had reset user passwords, logged users out of any devices they had previously connected to Dropbox Sign, and organized the rotation of all API keys and OAuth tokens.
Core Dropbox services don’t appear to have been impacted
The fact that no other Dropbox services were impacted by the breach indicates the security issue lay with the Dropbox Sign system and none of Dropbox’s core services, according to Kays, indicating the e-signature service has not been fully integrated on the backend.
“The fact that only the Dropbox Sign product was breached, not the wider business, suggests that a security gap either existed with the Hellosign product at the time of purchase, or developed over time as the company changed and rebranded it.”
Kays warned that the level of access achieved by the threat actor would give them enough information to launch a number of new attacks. As such, he suggested Dropbox users should assume their signature has been compromised and secure themselves accordingly.
“Adversaries having access to sensitive documents and a signature service offers tremendous scope for abuse, identity theft, fraud, and business email compromise. Dropbox users must act as though an attacker has their signature and the ability to sign legal documents in their name. They should change their passwords and enable MFA immediately.”
