File hosting service Dropbox breached by cyberattack

SAN FRANCISCO — There’s been another major disruption to hit the cybersecurity world, as online file hosting service Dropbox has reported a data breach with the U.S. Security and Exchange Commission (SEC). 

In its SEC filing, the company says it became aware of the incident in April. 

“When we became aware of the incident, we launched an investigation with industry-leading forensic investigators to understand what happened and mitigate risks to our users,” Dropbox wrote in the filing. “We have notified and are working with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.” 

The hack reportedly exposed data related to users of Dropbox Sign, including their emails and usernames, and general account settings. Dropbox clarified that users that created a Dropbox Sign or HelloSign account but did not set up a password through them (e.g. “Sign up with Google”) were not exposed. 

Additionally, the company said it found no evidence of unauthorized access to the contents of customer accounts or their payment information.   

“As of the date of this filing, the incident has not had, and we do not believe it is reasonably likely to have, a material impact on our overall business operations, given our current understanding that this incident is limited to the Dropbox Sign infrastructure,” the company wrote in the filing. “We have not determined that the incident is reasonably likely to materially impact our financial condition or results of operations. We remain subject to various risks due to the incident, including potential litigation, changes in customer behavior, and additional regulatory scrutiny. Our remediation efforts are ongoing.” 

But as one expert tells Security Systems News (SSN), the hack poses a tremendous threat for affected business users. 

“Adversaries having access to sensitive documents and a signature service offers tremendous scope for abuse, identity theft, fraud and business email compromise,” said Socura CEO Andy Kays. “Dropbox users must act as though an attacker has their signature and the ability to sign legal documents in their name. They should change their passwords and enable MFA immediately.” 

Kay attributes the conditions for the hack to their acquisition of HelloSign in 2019. 

“This looks like a classic case of breach through acquisition,” he said. “When a large company buys a smaller one, it can throw up major security risks. The most common scenarios are that the acquired company has vulnerabilities, limited security capabilities, or there are compatibility issues as products, technologies, services and teams are integrated. The fact that only the Dropbox Sign product was breached, not the wider business, suggests that a security gap either existed with the HelloSign product at the time of purchase, or developed over time as the company changed and rebranded it.” 

Dropbox is set to announce its quarterly earnings on May 9th, 2024.