Dropbox dropped the ball on security, haemorrhaging customer and third-party info

From theregister.com

Dropbox has revealed a major attack on its systems that saw customers’ personal information accessed by unknown and unauthorized entities.

The attack, detailed in a regulatory filing, impacted Dropbox Sign – a service it bills as an “eSignature solution [that] lets you send, sign, and store important documents in one seamless workflow, without ever leaving Dropbox.” So basically a DocuSign clone.

The filing states that management became aware of the incident last week – on April 24 – and “immediately activated our cyber security incident response process to investigate, contain, and remediate the incident.”

That effort led to the discovery that “the threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings.”

It gets worse: “For subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication,” the filing states.

Read more…