[thrdbndndn]

> Based on our investigation, a third party gained access to a Dropbox Sign automated system configuration tool. The actor compromised a service account that was part of Sign’s back-end, which is a type of non-human account used to execute applications and run automated services. As such, this account had privileges to take a variety of actions within Sign’s production environment. The threat actor then used this access to the production environment to access our customer database.

Not familiar with this area, how usually does it happen? Social engineering or some more "technical" ways?

Also, under normal (not hacked) circumstance, who usually would have access to these service accounts?

[couchand]

The credentials for service accounts are generally available to a system admin but I think in most cases it would be a strange request to ask for them, so not a strong vector for social engineering.

A service account is used to give limited permissions on one system to another system. Normally only that system would need access to them, not any human.

Their main benefit is that, since no person is trying to do their day job here, the account can be locked down to precisely the permissions it needs. The reality is that service accounts are usually given extremely permissive access initially and then forgotten about. This makes them juicy targets for attackers.

[l33tman]

I really recommend listening to the Darknet Diaries podcast (available on Spotify at least). Really high-quality interviews with both ex and current hackers, cybersecurity professionals etc.