Reply
DocuSign User
jdmc
Posts: 11
Registered: ‎12-05-2012
0

DocuSign customer information security breach

[ Edited ]

There appears to have been a security breach of DocuSign's customer-information database.

 

This morning I received a fake email message purporting to be sent by DocuSign, bearing instructions to open an attached file that was supposedly called "Employment 2013.pdf". The attachment is actually a ZIP archive containing a Windows executable file called "Employment 2013.pdf.exe", which is presumably a Trojan malware payload.

 

But the fact that the message was made to look like it came from DocuSign is not the real problem here. The real problem is that the fake email was sent to the unique email address with which I registered my DocuSign account — a special address that I created specifically for that purpose and have used nowhere else. Furthermore, since creating my DocuSign account on 11-Aug-2012, I have never actually used it in practice. The only way my DocuSign email address could become known to a spammer is by being leaked from DocuSign.

 

What's even more disturbing is that I have an account with remote-computer-access provider LogMeIn, which I also created with its own unique email address… and at the same time I received the trojan-spam sent to my DocuSign account email address, I also received a second copy of the trojan-spam sent to my LogMeIn account email address. Therefore it appears that the LogMeIn customer-information database has also been compromised.

 

It is especially worrisome to consider the possibility that DocuSign and/or LogMeIn account passwords could have been leaked as well. Attackers able to actually log in using someone's LogMeIn credentials could conceivably have full interactive access to any number of computers and mobile devices.

 

For the record, both of the fake DocuSign emails I received this morning originated from IP address 182.72.122.218, which is located in India.

Casual DocuSign User
PagosaJoe
Posts: 1
Registered: ‎06-19-2012
0

Re: Docusign customer information security breach

I received the same message and file.  It might have caught me but for  the fact that I've not got any documents out for signature.  Even slicker, all the rollover links within the message were docusign.com links.  THe return email was from *@docusign.net, however.  Hope the DocuSign foks have this under control, though I doubt it.

DocuSign User
jdmc
Posts: 11
Registered: ‎12-05-2012
0

Re: Docusign customer information security breach

For cross-reference, there's a thread about this issue in LogMeIn's community forums: LogMeIn leaked my email address?

Casual DocuSign User
clarknuber
Posts: 1
Registered: ‎12-05-2012
0

Re: Docusign customer information security breach

Many of our employees received this same message.  It has crippled our network drives and made files and folders on infected users' local computers read only.

Community Manager
MRider
Posts: 7
Registered: ‎03-19-2012
0

Re: DocuSign customer information security breach

@JDMC: Thank you for your post to the DocuSign Community. DocuSign is tracking this issue and is posting updates to http://www.DocuSign.com/spam-incident with more details. Thus far, we’ve seen a third party who is sending a malicious spam email to a broad group (that includes principally non-DocuSign users, but also includes some DocuSign users) to make it look as if it is coming from the DocuSign service. These emails are not coming from DocuSign, nor have user email addresses been provided by DocuSign.
 
The emails are unrelated to DocuSign and the DocuSign service. The malicious third party is attempting to copy the look and feel of a DocuSign email and spoofing IP addresses hoping to fool people into believing the email came from a trusted source. The fake email includes an attached executable zip file that may contain a malware virus. DO NOT OPEN the attachment. We have put a banner on our website and production service to bring this to the attention of anyone visiting DocuSign.com.
 
Below are the immediate steps that you should take if you received malware spam email:
·  DO NOT OPEN any attachments
·  FORWARD the email to spam@docusign.com
·  Immediately DELETE the email
 
Consider taking the below additional steps to prevent future malware spam emails:
·  Ensure your anti-virus software is up to date and enabled
·  Contact the sender to confirm the authenticity of the signature request if you don’t recognize the sender of a DocuSign envelope
·  Don’t open email attachments from unknown recipients; DocuSign-generated emails don’t contain executable files as attachments
 
We will continue to aggressively monitor this malware email incident and post any additional information to http://www.DocuSign.com/spam-incident. Again, thank you for posting this to the DocuSign Community.

DocuSign User
jdmc
Posts: 11
Registered: ‎12-05-2012
0

Re: DocuSign customer information security breach

[ Edited ]

Please re-read my original post, which I have edited for clarity. The fact that the trojan-spam that I received was made to look like it came from DocuSign is not the issue here. The issue is that an unauthorized third party has gained possession of private data that could only have come from DocuSign's customer-information database. The leaked data certainly included customer email addresses. And given that fact, it would seem likely that other customer data was leaked as well.

Guru Collector
frankly
Posts: 3
Registered: ‎04-26-2012
0

Not Docusign Re: DocuSign customer information security breach

 Hey there JDMC,

My name is Frank. I helped expose an issue that Docusign had a few months ago where customers were uploading contracts and those contracts were getting picked up by google and email addresses were exposed. Docusign could have easily added a "nofollow" to the code and maintain it wasn't a "leak" but whatever it was... it was fixed.

In this case, I 10)% hear you. You have a unique email address that only they would know. I do that to. Busted right?

I might have thought that if you didn't also say you got one from LogMeIn. Too much of a coincidence. There are other ways this virus could get your email including and far more likely way:


a) Via your email/gmail was hacked and they got the docusign email that way

If they hack your email, a simple search for Docusign would uncover that email


b) Via your LogmeIn, perhaps with a hack and somehow they could watch you do stuff in  docusign

c) Via a keystroke hacker virus. Tracking keystrokes so they will know what you used on every site.

You can start by checking for keystroke viruses on your computer, and then you can change passwords (in that order).

Frank

DocuSign User
jdmc
Posts: 11
Registered: ‎12-05-2012
0

Re: Not Docusign

[ Edited ]

Frank wrote:

 

a) Via your email/gmail was hacked and they got the docusign email that way

If they hack your email, a simple search for Docusign would uncover that email

 

I use a private, high-security email service provider that logs all access attempts. My email has not been hacked.

 

b) Via your LogmeIn, perhaps with a hack and somehow they could watch you do stuff in docusign

 

I have an inactive LogMeIn account that is not authorized to access anything. I also have never actually used DocuSign.

 

c) Via a keystroke hacker virus. Tracking keystrokes so they will know what you used on every site.

 

I use Mac OS X 10.7.5. I don't have a keystroke virus.

 

Clearly, there has been a breach of account information at DocuSign and also at LogMeIn. These breaches need not have occurred at the same time, nor have been perpetrated by the same people. Their results need only have been merged (probably along with other sources) into the same list of recipients for the same spam campaign.

 

I am not the only person who uses unique-to-site disposable email addresses who is now reporting having received spam at addresses that were given only to DocuSign or LogMeIn. It is not reasonable to suppose that hackers are doing the very time-consuming work of trying to look over my email data by hand. I'm just one individual. The only reasonable explanation is that the data breach is the result of actions that gain access to data on many thousands or millions of people all at once.

Guru Collector
frankly
Posts: 3
Registered: ‎04-26-2012
0

Re: Not Docusign

Can't wait to hear what they say... This will be interesting.

DocuSign User
jdmc
Posts: 11
Registered: ‎12-05-2012
0

Re: DocuSign customer information security breach

A week has passed since my initial report, and DocuSign still has not responded in any visible way to the fact that the email addresses of DocuSign users have somehow fallen into the hands of spammers. Again, this is a completely separate issue from some people having received trojan-spam messages that were made to look like they came from DocuSign; the issue is the stolen email addresses to which the spam was sent, not what the spam looked like. (That being said, it would certainly make sense for the creators of a trojan-spam message made to look like it came from DocuSign to target that message at addresses known to be associated with DocuSign accounts, as recipients accustomed to receiving similar-looking legitimate notifications from DocuSign would be much less likely than non-DocuSign customers to view the spoof message with suspicion.)

 

I will not let this issue pass until I see a substantive response from DocuSign.