"I saw the [Dropbox] Sign and it opened up my eyes to continuously monitoring our third-party apps"

Dropbox, a leading cloud storage provider, announced May 2, 2024 a significant security breach affecting its eSignature platform, Dropbox Sign (formerly HelloSign) as reported by BleepingComputer. The breach involved unauthorized access to production systems, resulting in the exposure of sensitive customer data. 

Read on for additional breach details and how Vorlon customers are able to detect and investigate their information systems architecture for IOCs caused by the Dropbox Sign security incident in near real-time.

Details of the Dropbox Sign Breach

Hackers penetrated the backend systems of Dropbox Sign, a platform that enables users to send and receive legally binding signatures electronically. The attackers gained access to crucial system configuration tools which allowed them to manipulate the platform with elevated privileges.

Data Involved

Access to a wide array of sensitive information was gained, including:

• Customer emails, usernames, and phone numbers.
• Hashed passwords, suggesting some level of security for the stored passwords.
• Authentication details such as API keys, OAuth tokens, and multi-factor authentication (MFA) keys.

Dropbox has not found evidence suggesting that the attackers gained access to customers' documents or agreements. 

Response to the Incident

Upon discovering the breach, Dropbox initiated a thorough investigation, which revealed the extent of the access and the methods used by the threat actors. This led to a series of security measures aimed at mitigating the impact of the breach, including:

• All user passwords for Dropbox Sign were reset.
• Sessions for all users of Dropbox Sign were logged out.
• Usage of API keys was restricted until customers could rotate them to ensure security.
• A security advisory was issued detailing steps for customers to rotate API keys and reconfigure MFA settings.

Recommendations from Dropbox to Its Customers

Dropbox has issued specific recommendations for its users to help secure their accounts and minimize potential harm:

• Users should be vigilant for phishing attempts that might use the breached data.
• If contacted via email to reset passwords, users should not click on any links but instead go directly to the Dropbox Sign website to change their password.
• Users who utilize MFA are advised to delete their existing configuration and set up a new MFA key through Dropbox Sign's website.

In light of this breach, Dropbox is actively communicating with affected customers and has taken steps to prevent such incidents in the future. Users are urged to follow all recommended security measures and stay informed via Dropbox's official communications.

Vorlon Customers Know In Near Real-Time

First, we want to praise Dropbox on a few things.

1. Dropbox made the discovery on April 24, 2024 and released a security advisory on May 1, 2024. Dropbox’s response is commendable both for the amount of information disclosed about the breach and the turnaround time to disclose.
2. Restricting API keys is a smart way to assist customers in preventing further abuse of the stolen data until the keys can be rotated. 
3. Terminating all user sessions and forcing a password reset is another smart way to assist customers. We just hope customers have the strongest form of MFA enabled without a phishable fallback method. Dropbox can only do so much on this front—after all, security is a shared responsibility.

Ok, so what is it that Vorlon customers know in near real-time that others do not? For starters, they know what, where, and when their data is moving between their third-party applications which comprises an increasingly larger percentage of their information systems architecture than say 15 or even 10 years ago. They know when something abnormal is going on between these third-party applications. They are provided enriched threat intelligence on top of what their logs alone provide. 

For example, your SOC would be alerted in near real-time when an API token, typically reserved for a specific application coming from a familiar source IP, is now also being used to connect from a previously unseen IP Address. 

• It could be a Revenue Operations employee on vacation logging in and repurposing the same access token with a cool new business planning tool so a sales leader can do some territory planning while the RevOps employee is sampling wine in Mendoza.  
• Or, it could be an attacker that somehow got ahold of that API token and is attempting to leverage its over permissive access to download all customer contracts and opportunities. 

Organizations that are not monitoring the activities between their third-party applications will otherwise have no idea where to start their investigations until Dropbox releases an official security advisory with a list of IOCs. Mind you—these advisories are never sent in near real-time. Advisories are usually sent days, weeks, months, or even years after the breach occurs and is finally detected, investigated, and with critical remediation steps underway or even completed. 

Third-Party Detection and Response

A common use case for Vorlon is third-party detection and response. When you have many third-party applications, your detection and response times can slow down. Third-party audit logs are hard to read and even harder to correlate. This complexity makes it challenging to understand the full scope of each app, their access secrets, and data flows affected by breaches and security incidents.

For the average large enterprise, ‘many’ is more like 400+ vendors comprising their information systems architecture. But, when organizations continuously monitor their third-party applications, the security team spends less time digging through logs for IOCs because their third-party API security platform does the heavy lifting for them. 

Critical capabilities in a third-party API security platform must include:

• Abnormal Behavior Detection with Alerts
  
• Comprehensive Map of All Third-Parties Within Your Orgs Information Systems Architecture
  • The platform must be capable of identifying third-party apps connecting to one another, and of observing business critical applications for abnormalities.
  • Ensure you understand where your organization’s sensitive data is flowing and quickly identify affected data when a breach happens—not days, weeks, or even months later.
  • Enhance your investigation for IOC activity and identify affected accounts and secrets.
    
• Response/Remediation Capabilities
  • Rotate affected accounts or secrets across all apps.
  • Ensure seamless continuation of existing workflows (or put another way — to understand and preferably prevent any potential operational disruptions).
    

For more information, visit our Third-Party Detection and Response use case page or request a demo.