:quality(75)/cloudfront-us-east-1.images.arcpublishing.com/elcomercio/IB53WANYUNGGBKDO2NCEEARLVY.jpg "Dropbox Sign: hacking of the service exposes users' emails, phone numbers and passwords | TECHNOLOGY")
Dropbox has recognized a ‘hack’ that has affected the Dropbox Sign digital signature service, in which user information, such as emails, phone numbers and login passwords, has been exposed.
The technology company launched an investigation after detecting unauthorized access to the Dropbox Sign production environment on April 24. From this they initially conclude that no other product has been affected, as they are differentiated infrastructures, but that the malicious actor has had access to user information.
Specifically, the technology company details in a statement the theft of data such as email addresses, usernames, phone numbers and hashed passwords, but also account configuration and login elements such as API keys, tokens Oauth and multi-factor authentication.
This data exposure also affects users who, despite not having created an account, used the service to sign electronic documents. In the case of users with an account, those who have enabled login with another service, for example, with a Google account, have not had their password stolen. Signed documents and payment information have also not been exposed.
The malicious actor gained access to Sign’s production environment after gaining control of an automated system configuration tool, which has privileges over a wide variety of actions, including access to the user database.
In response, Dropbox has informed those affected of what happened, offering a guide to the steps they should take to secure their information. They have also reset account passwords and closed the sessions of users who had the account open on different devices, and have coordinated a rotation of API keys and Oauth tokens.