All posts by Hassan Jaber

Dropbox says hackers stole customer data, auth secrets from eSignature service

Cloud storage firm Dropbox says hackers breached production systems for its Dropbox Sign eSignature platform and gained access to authentication tokens, MFA keys, hashed passwords, and customer information.

Dropbox Sign (formerly HelloSign) is an eSignature platform allowing customers to send documents online to receive legally binding signatures.

The company says they detected unauthorized access to Dropbox Sign’s production systems on April 24 and launched an investigation.

This investigation determined that the threat actors gained access to a Dropbox Sign automated system configuration tool, which is part of the platform’s backend services.

This configuration tool enabled the threat actor to execute applications and automated services with elevated privileges, allowing the attacker to access the customer database.

“Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication,” warns Dropbox.

For those users who used the eSignature platform but did not register an account, their email addresses and names were also exposed.

The company says they found no evidence that the threat actors gained access to customers’ documents or agreements and did not access the platforms of other Dropbox services.

Dropbox says that it reset all users’ passwords, logged out all sessions to Dropbox Sign, and restricted how API keys can be used until they are rotated by the customer.

The company has provided additional information in the security advisory on how to rotate API keys to once again receive full privileges.

Those who utilize MFA with Dropbox Sign should delete the configuration from their authenticator apps and reconfigure it with a new MFA key retrieved from the website.

Dropbox says they are currently emailing all customers who were impacted by the incident.

For now, Dropbox Sign customers should be on the lookout for potential phishing campaigns utilizing this data to collect sensitive information, such as plaintext passwords.

If you receive an email from Dropbox sign asking you to reset your password, do not follow any links in the email. Instead, visit Dropbox Sign directly and reset your password from the site.

In 2022, Dropbox disclosed a security breach after threat actors stole 130 code repositories by breaching the company’s GitHub accounts using stolen employee credentials.

AnyDesk Hacked !!

In a statement shared with Bleeping Computer late Friday afternoon, AnyDesk says they first learned of the attack after detecting indications of an incident on their production servers. 

After conducting a security audit, they determined their systems were compromised and activated a response plan with the help of cybersecurity firm Crowd Strike.

AnyDesk did not share details on whether data was stolen during the attack. However, BleepingComputer has learned that the threat actors stole source code and code signing certificates.

The company also confirmed ransomware was not involved but didn’t share too much information about the attack other than saying their servers were breached, with the advisory mainly focusing on how they responded to the incident.

As part of their response, AnyDesk says they have revoked security-related certificates and remediated or replaced systems as necessary. They also reassured customers that AnyDesk was safe to use and that there was no evidence of end-user devices being affected by the incident.

“We can confirm that the situation is under control and it is safe to use AnyDesk. Please ensure that you are using the latest version, with the new code signing certificate,” AnyDesk said in a public statement.

While the company says that no authentication tokens were stolen, out of caution, AnyDesk is revoking all passwords to their web portal and suggests changing the password if it’s used on other sites.

DAAM Virus

An Android malware called ‘Daam’ that infects mobile phones and hacks into sensitive data like call records, contacts, history and camera has been found to be spreading, the national cyber security agency has said in its latest advisory.

The virus is also capable of “bypassing anti-virus programs and deploying ransomware on the targeted devices”, the Indian Computer Emergency Response Team or CERT-in said.

The agency is the federal technology arm to combat cyber attacks and guard the cyber space against phishing and hacking assaults and similar online attacks.