- Material Incidents
- Posts
- [Material-Incidents] No. 7
[Material-Incidents] No. 7
Dropbox's Detailed 8-K
Hey everyone,
An exciting filing this week: Dropbox filed their first incident on Wednesday. I’m particularly interested in this filing because Dropbox is one of the first pure SaaS providers and tech companies to file an 8K since the SEC requirements went into place this past December, and as expected, their filing provides more detail than most of the filings we’ve seen to date.
This is unfortunately the 2nd security incident over the past two years for Dropbox. In 2022, a targeted phishing campaign was used to compromise a Github account, which led to the copying of 130 source code repositories owned by Dropbox and sensitive data contained therein (employee information, customers). The most recent incident utilized a different attack vector and, based on details from the filing, seems to have a larger blast radius:
“we discovered that the threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings. For subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication”
The only users currently impacted by the breach are Dropbox Sign users (Dropbox acquired HelloSign, the digital signature company back in 2019). The company is still investigating the issue but believes the incident was isolated to Dropbox Sign infrastructure and did not impact any other Dropbox products or users. The ongoing investigation uncovered a service account was compromised when a third party gained access to an internal configuration tool. Service accounts are unlike a regular user accounts; they are “a type of non-human account used to execute applications and run automated services”. Due to their nature, these accounts often have elevated privileges and can be prime targets for an attacker. In Dropbox’s case, this service account allowed the attacker to move from the initially compromised configuration tool to the customer database.
Dropbox is in the process of reaching out to all impacted users and taking steps to further mitigate the issue. All Dropbox Sign users will be forced to rotate their passwords, and API customers will only have limited access to document signing capabilities while API key rotation is coordinated. More detail can be found in the full press release here.
Losing sensitive user information is never a good look for any company. But, as a Dropbox user, I believe they’ve done right by me based on how they’ve approached this incident. The press release and filing shared in detail what went wrong, how they dealt with it and most importantly what they’re doing to ensure they prevent similar threats in the future. Having read through every 8-K filing to date, I wish more companies would provide similar detail and transparency, when possible. The post mortem and root cause analysis instill confidence that weaknesses and gaps will be dealt with and mitigated in the future.
Thanks for reading,
Matt