Dropbox Sign eSignature Platform Breached: What You Need to Know

Cloud storage giant Dropbox recently revealed that hackers managed to breach its Dropbox Sign eSignature platform, getting their hands on authentication tokens, multi-factor authentication (MFA) keys, hashed passwords, and customer information. If you’re not familiar with Dropbox Sign (previously known as HelloSign), it’s a service that enables customers to send documents online for legally binding signatures.

When and How Did the Breach Occur?

We discovered unauthorized access to Dropbox Sign’s production systems on April 24, prompting us to launch an investigation. Our findings showed that the threat actors gained access to a Dropbox Sign automated system configuration tool, which is part of the platform’s backend services. This configuration tool allowed the attacker to execute applications and automated services with elevated privileges, ultimately enabling them to access the customer database.

What Data Was Compromised?

Upon further investigation, we found that the threat actor accessed data such as Dropbox Sign customer information, including emails, usernames, phone numbers, and hashed passwords. Additionally, they got their hands on general account settings and certain authentication information, such as API keys, OAuth tokens, and multi-factor authentication. Unfortunately, even users who used the eSignature platform without registering an account had their email addresses and names exposed.

Was Any Other Data or Services Affected?

While this breach is undoubtedly concerning, the silver lining is that we found no evidence that the threat actors gained access to customers’ documents or agreements. Furthermore, they did not access the platforms of other Dropbox services.

What Measures Have Been Taken to Address This Issue?

In response to the breach, we’ve reset all users’ passwords, logged out all sessions to Dropbox Sign, and restricted how API keys can be used until they are rotated by the customer. We’ve also provided additional information in our security advisory on how to rotate API keys to regain full privileges.

What Should Dropbox Sign Customers Do Now?

If you utilize MFA with Dropbox Sign, you should delete the configuration from your authenticator apps and reconfigure it with a new MFA key retrieved from the website. We’re currently emailing all customers impacted by the incident.

Moreover, be on the lookout for potential phishing campaigns using this data to collect sensitive information, such as plaintext passwords. If you receive an email from Dropbox Sign asking you to reset your password, don’t follow any links in the email. Instead, visit Dropbox Sign directly and reset your password from the site.

Stay Alert and Informed

As cyber threats continue to evolve and become more sophisticated, it’s essential to stay informed and proactive in protecting your data. Remember that in 2022, Dropbox disclosed a security breach after threat actors stole 130 code repositories by breaching the company’s GitHub accounts using stolen employee credentials.

Keep Coming Back to Learn More

With cybersecurity being a top priority for individuals and businesses alike, we encourage you to stay up-to-date on the latest threats and best practices for keeping your data secure. Keep coming back to IT Services to learn more and stay informed about the ever-changing landscape of cybersecurity.

Image: Coolcaesar (CC BY-SA 4.0)

Imagine this: you’re enjoying a delicious meal at your favorite Panda Express restaurant, blissfully unaware that a data breach just occurred within the parent company, Panda Restaurant Group. This breach affected not only Panda Express, but also Panda Inn, and Hibachi-San, compromising their corporate systems in March and stealing the personal information of an unknown number of associates.

As the largest Chinese fast food chain in the United States, with over $3 billion in sales and 47,000 associates working in 2,300 branches, Panda Express is a household name. So when they discovered a data security breach on March 10, 2024, which only impacted their corporate systems and left in-store systems, operations, and guest experience unaffected, they took immediate action.

Thankfully, the incident only impacted current and former associate data, leaving guest data untouched. As soon as the breach was detected, Panda Restaurant Group secured its environment, activated remediation and recovery efforts, and initiated a thorough investigation with the help of third-party cybersecurity experts and law enforcement agencies to establish the nature and extent of the breach.

After a thorough investigation, it was determined that certain information maintained on their corporate systems was accessed by unauthorized actors between March 7-11, 2024. With the support of third-party experts, Panda Restaurant Group then began a thorough review of the affected data to identify the specific information and individuals impacted.

Unknown number of affected people

While the exact number of individuals affected by the breach has yet to be disclosed, information filed with the Office of the Maine Attorney General reveals that the exposed data includes affected peoples’ names or other personal identifiers, as well as their driver’s license numbers or non-driver identification card numbers.

Panda Restaurant Group continues to work with law enforcement, who are conducting an active investigation into the unauthorized actors responsible for this incident. In response to the breach, Panda has implemented additional technical safeguards to further enhance the security of information in their possession and to help prevent similar events from happening in the future.

As of now, a Panda Restaurant Group spokesperson has yet to reply to requests for additional details regarding the incident, including the total number of affected people and if the attackers have made any ransom demands.

So, what does this all mean for you? It’s a stark reminder that cybersecurity is an ever-present concern in today’s digital world. Every organization, no matter how big or small, must take the necessary steps to protect their data and the personal information of their employees and customers.

Let this be a wake-up call: don’t wait until it’s too late to take action. Contact us today to learn more about how you can safeguard your organization from cyber threats and keep coming back for more valuable insights and advice.

Imagine waking up one day, only to find out that your personal and financial information has been stolen in a security breach. This is what happened to 25,549 individuals whose data was compromised in a recent cybersecurity attack on the Philadelphia Inquirer, the city’s largest newspaper and the third-longest operating daily newspaper in the United States.

The Attack and Its Aftermath

Picture this: It’s May 2023, and the Philadelphia Inquirer’s content management system suddenly goes down. The newspaper quickly realizes that something is amiss and takes some computer systems offline to contain the breach. They also bring in Kroll forensics experts to investigate the “anomalous activity.”

As a result of the attack, the publication of the print newspaper is disrupted, and home-delivery subscribers are asked to catch up with the latest news using the newspaper’s website, which remains unaffected.

In their data breach notifications, the Inquirer states, “We determined that an unauthorized party gained access to our systems and certain files were viewed and/or copied from our systems between May 11, 2023, and May 13, 2023.” The exposed information includes names, personal identifiers, and financial account numbers, as well as credit/debit card numbers (in combination with security code, access code, password, or PIN for the accounts).

The newspaper advises affected individuals to monitor their accounts for identity theft and fraud attempts and offers 24 months of free Experian credit monitoring and identity restoration services.

The Culprit: Cuba Ransomware Gang

Although the Inquirer doesn’t reveal who’s responsible for the attack, the Cuba ransomware gang takes credit for it one week after the incident. The group claims to have stolen financial documents, correspondence with bank employees, balance sheets, tax documents, compensation, and source code from the newspaper’s compromised servers.

Cuba then publishes the files on its dark web leak site, which suggests that the Inquirer refused to pay a ransom and the extortion attempt hit a dead end. However, the Inquirer later reports that the documents don’t “appear to come from the newspaper.” Subsequently, the ransomware gang removes the Philadelphia Inquirer entry from its website.

The Bigger Picture: Ransomware Attacks on the Rise

The Cuba ransomware gang is no stranger to such attacks. According to a joint security advisory by the FBI and CISA, the group collected over $60 million in ransoms until August 2022 after breaching more than 100 victims worldwide. A previous FBI advisory from December 2021 also warned that Cuba operators had compromised at least 49 U.S. critical infrastructure organizations.

Don’t Be the Next Victim: Protect Yourself and Your Information

The Philadelphia Inquirer breach is a stark reminder that we all need to be vigilant about our cybersecurity. Whether you’re an individual or a business owner, it’s crucial to stay informed and take necessary precautions to protect your data from potential threats.

So, what are you waiting for? Get in touch with us at IT Services to learn more about how to safeguard yourself from cyberattacks and keep your information secure. We’re here to help you stay one step ahead of the bad guys and ensure your peace of mind.