BETA
THIS IS A BETA EXPERIENCE. OPT-OUT HERE

More From Forbes

Edit Story

DocuSign Confirms Hack And The Stolen Data Could Put You At Risk

Updated May 16, 2017, 10:00am EDT
This article is more than 7 years old.

Ever digitally signed a document? Then there's a good chance that you've used or at least heard of DocuSign. For a decade and half, it's been among the world leaders in digitizing tasks that historically required putting pen to paper.

DocuSign's business is one built around trust. Which is why it's so worrying to see the company reporting a breach of one of its systems.

In an update on its website, DocuSign reported an uptick in targeted spam campaigns abusing the company's branding. An investigation was launched, and it was determined that hackers had "gained temporary access to a separate, non-core system that allows us to communicate service-related announcements to users via email."

At first glance, the damage appears relatively minimal. DocuSign noted that no names, addresses, social security numbers, or payment data was accessed. So what did the attackers get their hands on? Email addresses -- possibly more than 100 million.

That might not seems like a very big deal at first glance. There have, after all, been so many massive leaks in recent history that there's a very good chance most of the addresses in DocuSign's database were already leaked from other sources. They may also have appeared in that spam database that contained 1.4 billion emails.

The problem now is that cybercriminals have a way to refine their attacks against a large group of people. People who do business online. People who exchange contract documents and complete transaction processes digitally. In short, the kind of people who cybercriminals love to spearphish.

Although email addresses were the only data taken from DocuSign, those addresses can be matched up with personal data that was leaked elsewhere and used to craft incredibly convincing phishing emails. For now, at least, the spam campaign doesn't appear to be very sophisticated.

The messages are easy enough to pick apart. They're sent from a non-DocuSign domain like docus.com and contain misspellings. One of two subjects is used: "Completed: [domain name]  – Wire transfer for recipient-name Document Ready for Signature" or "Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature." Given time, however, the scams will get harder to detect.

There will still be a very easy way for DocuSign customers to avoid becoming victims, though. Just follow security researcher Brian Krebs' advice: don't click any links in any DocuSign emails. If there really is a document that requires your attention, head over to the DocuSign website and sign in to your account.

DocuSign offers additional advice on how to protect yourself, and offered the following statment to its customers: "Your trust and the security of your transactions, documents and data are our top priority. The DocuSign eSignature system remains secure, and you and your customers may continue to transact business through DocuSign with trust and confidence."