|
|
|
|
|
|
by btown
775 days ago
|
|
|
Trying to understand some of the interplay here: > threat actor had accessed data including ... certain authentication information such as API keys, OAuth tokens, and multi-factor authentication. > If I have a Sign account linked to my Dropbox account, is my Dropbox account affected? No. Based on our investigation to date, we believe this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products. If you linked your Dropbox account to a Sign account, wouldn't Sign have had an OAuth token (or similar) with permissions to access documents in Dropbox accounts? One imagines that leaked, if everything else did. Would they have been able to detect this as a distinct access pattern from someone, say, choosing a file to sign via the Sign interface? |
|
|