[BreachExchange] Despite DocuSign promises, they couldn’t avoid the inevitable

Audrey McNeil audrey at riskbasedsecurity.com
Thu May 25 19:07:51 EDT 2017



DocuSign, the leading electronic document-signing company for over a
decade, promises to “move business forward securely and reliably” on its
website. Last Monday, their promise fell short of reality.

The company announced that in a brazen breach of security, hackers
illegally acquired email addresses and contact lists of clients, which were
later used to launch damaging phishing attacks. The messages contained a
link to a Microsoft Word document containing malware.


In a statement the company said, “Today we confirmed that a malicious third
party had gained temporary access to a separate, non-core communication
system used for service-related announcements that contained a list of
email addresses.”

The extent of the hack was unspecified by the company, leading to
speculation that the reach was deep and widespread.

It was also unclear how many clients fell victim to the phishing attacks.


But DocuSign denied an invasive attack, stressing that only email addresses
were compromised. The company statement claimed, “A complete forensic
analysis has confirmed that only email addresses were accessed; no names,
physical addresses, passwords, social security numbers, credit card data or
other information was accessed.”

It seems that secured documents sent by clients through its system for
eSignature were not compromised.

But the company feared phishing attacks containing a counterfeit DocuSign
branding logo with addresses ending in “docus.com”, a lookalike fake domain
would continue to proliferate. The attack lured victims to a wire transfer
or accounting invoice declaring “Document Ready for Signature”.


In our digital era, huge waves of coordinated phishing attacks, sometimes
even state-sponsored, are have become extremely common. So some security
experts seemed not too alarmed by the DocuSign breach. Troy Hunt, a
security expert told Inc.com, “It’s usually a trivial affair to track down
someone’s address because after all, that’s how you get in touch with them!”

However, the eventual phishing attack contained sophisticated malware in
the attachment that had the potential to access passwords or even banking

To its clients, the company struck a tone of extreme caution and instructed
to “forward any suspicious emails related to DocuSign to spam at docusign.com,
and then delete them from your computer.”

It assured them further by saying, “We took immediate action to prohibit
unauthorized access to this system, we have put further security controls
in place, and are working with law enforcement agencies.”

DocuSign deals is built on trust.

It has access to extremely confidential documents—from sensitive business
contracts to medical documents. Any reports of digital vulnerability might
immediately turn clients away from availing their services.

The company seems to be acutely aware of this.

Nearly five years ago, the American Genius ran a story about how many
DocuSign clients’ information appeared to have been publicly accessible
through Google search.

The company vehemently denied any breach of security back then and
explained “it appears that a very small number of DocuSign users have saved
their own personal copies of their signed documents to publicly accessible
and searchable locations outside of the secure DocuSign Global Network,”
essentially shifting any blame on users.


This time around, the company had to admit a third-party caused the breach.

On their website, DocuSign tells clients to “get to ‘yes’ faster” by
availing their services that are “more secure than paper.”

On paper, in fact, that’s not true anymore.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170525/25d59f29/attachment.html>

More information about the BreachExchange mailing list