Astalty Logo

Dropbox Security Incident

At 9:06am this morning (2nd May 2024), we were notified via email that Dropbox Sign had a security incident on the 24th of April 2024. Astalty integrates with Dropbox Sign to power our eSignature functionality. Dropbox Sign has published an article regarding the incident here and we strongly encourage you to read through the article.

The Dropbox Sign article is targeted at Dropbox Sign's direct customers (Astalty being one of them) and goes into detail about the technicalities of the breach. In this article we will outline what happened and how it impacts our customers in a non-technical manner where possible. If you would like a more technical explanation please feel free to contact support@astalty.com.au

What happened?

On the 24th of April Dropbox Sign reported unauthorised access to its production environment, which resulted in the exposure of customer information. This includes some information sent to Dropbox for Signature Requests prepared in Astalty.

Astalty's servers and database were not compromised or exposed in any way.

How is Dropbox Sign associated with Astalty?

Dropbox Sign powers our eSignature functionality - the only data we send to Dropbox Sign is the bare minimum in order to have a document signed. This includes;

  • the names and email addresses of the document sender and recipients

  • the document (PDF or Word document) itself

We do not send any other personal data to Dropbox Sign.

What data was exposed?

The following list outlines the data that was accessed and definitions of those items - the main items of importance being API Keys and document recipient information;

  • Email addresses & usernames

    • The email addresses we (Astalty) use to log in to our Dropbox account.

  • Phone numbers

    • Phone numbers of Astalty team members.

  • Passwords

    • The passwords we use to log in to our Dropbox account however we do not use Dropbox Sign's standard log in and therefore our password with Dropbox Sign was not compromised.

  • Account settings

    • Certain settings to do with our account such as notification settings

  • API Keys

    • API keys are similar to passwords but are used to allow software applications to talk to other software applications. For example, when Astalty asks Dropbox Sign to generated a Signature Request, we send our API key along with that request and that is how Dropbox Sign knows it is us and not another customer.

  • Names and email addresses of document recipients

    • This includes the name and email address of the people who received and signed a document through Dropbox Sign and consequently anyone who received a document from Astalty to be signed.

Any Signature Requests with the status of DRAFT in Astalty are not sent to Dropbox and therefore are unaffected.

Were actual documents exposed?

No.

Dropbox Sign has assured us that the contents of the documents being signed were not exposed. Below is a quote directly from Dropbox Sign.

We’ve found no evidence of unauthorized access to the contents of customers’ accounts (i.e. their documents or agreements), or their payment information.  

https://sign.dropbox.com/blog/a-recent-security-incident-involving-dropbox-sign

What actions has Astalty taken?

The following timeline shows actions taken by the Astalty team on the 2nd of May 2024;

  • 9:06am - email notification received by Dropbox Sign about the incident

  • 9:32am - email was opened by James Mooring (Director)

  • 9:34am - our API keys were rotated meaning any previously exposed API keys were deleted and replaced with new API keys

  • 9:35am - our internal investigation began to verify that our API keys were not used to act on our behalf.

    • Since the 24th of April, a total of 2519 requests were made using our API keys - each of these were individually checked to ensure they originated from our servers along with other properties.

    • It was found that our API keys were not used by a malicious actor

  • 11:03am - we started drafting our communications with Astalty customers that are affected

  • 11:16am - start building a Signature Request Export so customers can export a history of requests to notify their customers as well

  • 11:46am - finalised & deploy Signature Request Export

Moving forwards we will;

  • maintain close contact with Dropbox as they conduct their ongoing investigation and we will relay any critical updates to our customers.

  • conduct an internal review to ensure Dropbox Sign continues to be a viable partner and aligns with our information security values, policies and requirements.

Is further action required?

You do not need to do anything.

If you would like access to all of your Signature Requests including the names and email addresses that were sent to Dropbox Sign to finalise a Signature Request, you can use the new export found at https://app.astalty.com.au/exports/create/signature-requests.

More questions

Please contact support@astalty.com.au and we will be happy to answer any further questions.