Dropbox Sign breached

I just received an email from Dropbox saying that their product Dropbox Sign had a breach.

Hello,

We are reaching out to you as we learned of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment on April 24. Upon further investigation, we determined that a threat actor had accessed Dropbox Sign customer information. You’re receiving this message because your information was among the data accessed by this third party.

What happened
We can confirm that Dropbox Sign customer information such as emails, usernames, phone numbers, hashed passwords, multi-factor authentication, and general account settings were obtained. Based on our investigation, there is no evidence of unauthorized access to customer account content (i.e. customer documents or agreements) or customer payment information.

What we are doing
When we became aware of this issue, we launched an investigation with the help of industry-leading forensic investigators to find out what had happened and mitigate the risks to our users. As a result, our security team reset user passwords and logged users out of all devices connected to Dropbox Sign.

What you can do
Passwords and multi-factor authentication: To further protect your account, we expired your password and signed you out of all devices where you had connected to Dropbox Sign. The next time you sign in to your Sign account, you’ll be sent an email to reset your password. Customers who use an authenticator app for multi-factor authentication should reset it as soon as possible. Please delete your existing entry and then reset it. If you’re using SMS, you don’t need to do anything.

If you’ve used your Dropbox Sign password for other services, we strongly recommend that you change your password for those accounts and use multi-factor authentication where available. Instructions on how to do this for your Dropbox Sign account can be found here.
Being trustworthy is our highest value at Dropbox. We have high standards for ourselves when it comes to protecting our customers and their content. We were unable to meet those standards here, and we deeply regret the impact this has had on our customers. We are grateful for our partnership with you and are available to help anyone affected by this incident. For more information on this incident, all ways to contact us and updates, please click here.

(Translated from German text)

Just wanted to inform you all.

Looks like consensus is growing around there being some sort of vulnerability leftover from HelloSign systems (the company that was acquired in 2019 and turned into Dropbox Sign) that lead to this.

“This looks like a classic case of breach through acquisition,” Andy Kays, CEO of Socura, said. “The most common scenarios are that the acquired company has vulnerabilities, limited security capabilities, or compatibility issues as products, technologies, services and teams are integrated.” Whatever the root cause of the unauthorized access, an attacker managed to get access to a service handling sensitive documents and that means there’s a whole heap of abuse that could follow. The Dropbox Sign breach “offers tremendous scope for abuse, identity theft, fraud, and business email compromise,” Socura warns, concluding, “Dropbox users must act as though an attacker has their signature and the ability to sign legal documents in their name. They should change their passwords and enable MFA immediately.” - Forbes

Basically you shouldn’t trust any signed documents with this tool. That can have quite some consequences.