Reply
DocuSign User
jdmc
Posts: 11
Registered: ‎12-05-2012

DocuSign customer information security breach

[ Edited ]

There appears to have been a security breach of DocuSign's customer-information database.

 

This morning I received a fake email message purporting to be sent by DocuSign, bearing instructions to open an attached file that was supposedly called "Employment 2013.pdf". The attachment is actually a ZIP archive containing a Windows executable file called "Employment 2013.pdf.exe", which is presumably a Trojan malware payload.

 

But the fact that the message was made to look like it came from DocuSign is not the real problem here. The real problem is that the fake email was sent to the unique email address with which I registered my DocuSign account — a special address that I created specifically for that purpose and have used nowhere else. Furthermore, since creating my DocuSign account on 11-Aug-2012, I have never actually used it in practice. The only way my DocuSign email address could become known to a spammer is by being leaked from DocuSign.

 

What's even more disturbing is that I have an account with remote-computer-access provider LogMeIn, which I also created with its own unique email address… and at the same time I received the trojan-spam sent to my DocuSign account email address, I also received a second copy of the trojan-spam sent to my LogMeIn account email address. Therefore it appears that the LogMeIn customer-information database has also been compromised.

 

It is especially worrisome to consider the possibility that DocuSign and/or LogMeIn account passwords could have been leaked as well. Attackers able to actually log in using someone's LogMeIn credentials could conceivably have full interactive access to any number of computers and mobile devices.

 

For the record, both of the fake DocuSign emails I received this morning originated from IP address 182.72.122.218, which is located in India.

Casual DocuSign User
PagosaJoe
Posts: 1
Registered: ‎06-19-2012

Re: Docusign customer information security breach

I received the same message and file.  It might have caught me but for  the fact that I've not got any documents out for signature.  Even slicker, all the rollover links within the message were docusign.com links.  THe return email was from *@docusign.net, however.  Hope the DocuSign foks have this under control, though I doubt it.

DocuSign User
jdmc
Posts: 11
Registered: ‎12-05-2012

Re: Docusign customer information security breach

For cross-reference, there's a thread about this issue in LogMeIn's community forums: LogMeIn leaked my email address?

Casual DocuSign User
clarknuber
Posts: 1
Registered: ‎12-05-2012

Re: Docusign customer information security breach

Many of our employees received this same message.  It has crippled our network drives and made files and folders on infected users' local computers read only.

DocuSign Team
MRider
Posts: 7
Registered: ‎03-19-2012

Re: DocuSign customer information security breach

@JDMC: Thank you for your post to the DocuSign Community. DocuSign is tracking this issue and is posting updates to http://www.DocuSign.com/spam-incident with more details. Thus far, we’ve seen a third party who is sending a malicious spam email to a broad group (that includes principally non-DocuSign users, but also includes some DocuSign users) to make it look as if it is coming from the DocuSign service. These emails are not coming from DocuSign, nor have user email addresses been provided by DocuSign.
 
The emails are unrelated to DocuSign and the DocuSign service. The malicious third party is attempting to copy the look and feel of a DocuSign email and spoofing IP addresses hoping to fool people into believing the email came from a trusted source. The fake email includes an attached executable zip file that may contain a malware virus. DO NOT OPEN the attachment. We have put a banner on our website and production service to bring this to the attention of anyone visiting DocuSign.com.
 
Below are the immediate steps that you should take if you received malware spam email:
·  DO NOT OPEN any attachments
·  FORWARD the email to spam@docusign.com
·  Immediately DELETE the email
 
Consider taking the below additional steps to prevent future malware spam emails:
·  Ensure your anti-virus software is up to date and enabled
·  Contact the sender to confirm the authenticity of the signature request if you don’t recognize the sender of a DocuSign envelope
·  Don’t open email attachments from unknown recipients; DocuSign-generated emails don’t contain executable files as attachments
 
We will continue to aggressively monitor this malware email incident and post any additional information to http://www.DocuSign.com/spam-incident. Again, thank you for posting this to the DocuSign Community.

DocuSign User
jdmc
Posts: 11
Registered: ‎12-05-2012

Re: DocuSign customer information security breach

[ Edited ]

Please re-read my original post, which I have edited for clarity. The fact that the trojan-spam that I received was made to look like it came from DocuSign is not the issue here. The issue is that an unauthorized third party has gained possession of private data that could only have come from DocuSign's customer-information database. The leaked data certainly included customer email addresses. And given that fact, it would seem likely that other customer data was leaked as well.

Guru Collector
frankly
Posts: 3
Registered: ‎04-26-2012

Not Docusign Re: DocuSign customer information security breach

 Hey there JDMC,

My name is Frank. I helped expose an issue that Docusign had a few months ago where customers were uploading contracts and those contracts were getting picked up by google and email addresses were exposed. Docusign could have easily added a "nofollow" to the code and maintain it wasn't a "leak" but whatever it was... it was fixed.

In this case, I 10)% hear you. You have a unique email address that only they would know. I do that to. Busted right?

I might have thought that if you didn't also say you got one from LogMeIn. Too much of a coincidence. There are other ways this virus could get your email including and far more likely way:


a) Via your email/gmail was hacked and they got the docusign email that way

If they hack your email, a simple search for Docusign would uncover that email


b) Via your LogmeIn, perhaps with a hack and somehow they could watch you do stuff in  docusign

c) Via a keystroke hacker virus. Tracking keystrokes so they will know what you used on every site.

You can start by checking for keystroke viruses on your computer, and then you can change passwords (in that order).

Frank

DocuSign User
jdmc
Posts: 11
Registered: ‎12-05-2012

Re: Not Docusign

[ Edited ]

Frank wrote:

 

a) Via your email/gmail was hacked and they got the docusign email that way

If they hack your email, a simple search for Docusign would uncover that email

 

I use a private, high-security email service provider that logs all access attempts. My email has not been hacked.

 

b) Via your LogmeIn, perhaps with a hack and somehow they could watch you do stuff in docusign

 

I have an inactive LogMeIn account that is not authorized to access anything. I also have never actually used DocuSign.

 

c) Via a keystroke hacker virus. Tracking keystrokes so they will know what you used on every site.

 

I use Mac OS X 10.7.5. I don't have a keystroke virus.

 

Clearly, there has been a breach of account information at DocuSign and also at LogMeIn. These breaches need not have occurred at the same time, nor have been perpetrated by the same people. Their results need only have been merged (probably along with other sources) into the same list of recipients for the same spam campaign.

 

I am not the only person who uses unique-to-site disposable email addresses who is now reporting having received spam at addresses that were given only to DocuSign or LogMeIn. It is not reasonable to suppose that hackers are doing the very time-consuming work of trying to look over my email data by hand. I'm just one individual. The only reasonable explanation is that the data breach is the result of actions that gain access to data on many thousands or millions of people all at once.

Guru Collector
frankly
Posts: 3
Registered: ‎04-26-2012

Re: Not Docusign

Can't wait to hear what they say... This will be interesting.

DocuSign User
jdmc
Posts: 11
Registered: ‎12-05-2012

Re: DocuSign customer information security breach

A week has passed since my initial report, and DocuSign still has not responded in any visible way to the fact that the email addresses of DocuSign users have somehow fallen into the hands of spammers. Again, this is a completely separate issue from some people having received trojan-spam messages that were made to look like they came from DocuSign; the issue is the stolen email addresses to which the spam was sent, not what the spam looked like. (That being said, it would certainly make sense for the creators of a trojan-spam message made to look like it came from DocuSign to target that message at addresses known to be associated with DocuSign accounts, as recipients accustomed to receiving similar-looking legitimate notifications from DocuSign would be much less likely than non-DocuSign customers to view the spoof message with suspicion.)

 

I will not let this issue pass until I see a substantive response from DocuSign.

DocuSign Team
MRider
Posts: 7
Registered: ‎03-19-2012

Re: DocuSign customer information security breach

Jdmc – Thank you for your follow up post. Our apologies for not getting back to you sooner. We updated the communication at www.docusign.com/spam with more details to reach as broad an audience as possible. We are continuing to investigate the spam incident and are aggressively working with law enforcement agencies to take further action.

From our investigation, 85%+ of the forwarded emails to spam@docusign.com and calls to our support team regarding this spam incident have been from individuals who do not have a DocuSign account.  Like your question above, we have received questions from others asking how a third party may have obtained their email addresses. Malicious third parties most often obtain email addresses by spidering the Internet, purchasing lists, and then “phishing” for personal information via phone calls, spam emails, or fake web sites that contain malicious viruses designed to capture email directories, contacts, and other personal data. Even in the case of an email that is used only for a specific purpose, like your DocuSign account, that email is susceptible to these sort of "phishing" scams as noted by Frank.

The security and privacy of our customers' documents, personal information and data are our top priority. Our investigation thus far has shown that the DocuSign eSignature network has been and remains secure.

We'd be happy to speak further with you to talk through any additional security and privacy concerns. If this would be of interest, please send us an email (support@docusign.com) with your contact info.  Thanks.

DocuSign User
jdmc
Posts: 11
Registered: ‎12-05-2012

Re: DocuSign customer information security breach

MRider wrote:

 

Malicious third parties most often obtain email addresses by spidering the Internet, purchasing lists, and then “phishing” for personal information via phone calls, spam emails, or fake web sites that contain malicious viruses designed to capture email directories, contacts, and other personal data. Even in the case of an email that is used only for a specific purpose, like your DocuSign account, that email is susceptible to these sort of "phishing" scams

 

Speaking in general, what you say is true. But that's not how anybody got their hands on the unique email address with which I created my DocuSign account on August 11 of this year. I have never used or disclosed it anywhere except when creating the account. I probably logged into the DocuSign website a couple of times with it, but I've never received any DocuSign phishing emails, and I've never actually used DocuSign's services. I have an information-technology background and am highly attuned to phishing attempts. There is NO WAY my uniquely-created DocuSign email address could have fallen into the hands of spammers except by being leaked from DocuSign's data systems. Period.

 

There is plenty of reason to believe that the email addresses of a great many other DocuSign account-holders were also leaked, but because those email addresses were not uniquely created for DocuSign, the affected users have no way of knowing where those addresses were leaked from. This is the primary reason for creating unique single-use addresses in the first place: it makes data breaches traceable to the source. That is exactly what has happened here with DocuSign.

 

The fact that I created my DocuSign account, and the unique single-purpose email address associated with it, on August 11 tells us that the DocuSign data breach happened after that date. I suggest you focus your investigation accordingly.

DocuSign User
jdmc
Posts: 11
Registered: ‎12-05-2012

Explanation of unique single-use email addresses

[ Edited ]

I realize that many people reading this thread may not understand what I mean when I talk about creating "unique single-use email addresses", so let me explain.

 

I own multiple Internet domain names. Let's imagine that one of them is "mydomain.com". First, what I do is set up "catch-all" email service on that domain. This means that an email message sent to any address in that domain (______@mydomain.com) gets delivered to me.

 

Once I've done that, it's easy to create arbitrary, unique, single-purpose email addresses, on the fly, whenever I want to. For example, if I set up an account at Amazon.com, I can use the email address "amazon.com@mydomain.com". If I set up an account at the New York Times website, I can use the email address "nytimes@mydomain.com". I can even encode a date-stamp into an address if I want to know when I used it. For example, if I fill out an online survey somewhere today, I could provide the email address "survey-12z14@mydomain.com", where the "12z14" is code for today's date, December 14, 2012.

 

Again, because the email handling at my domain is set to deliver messages to me regardless of the part of the address before the "@" sign, I don't have to manually add all the ad-hoc special addresses that I create. They all get delivered automatically.

 

One benefit of doing this is that if I find at some point that I'm receiving spam at some address in my domain, I can simply configure my email service to reject or discard any messages sent to that address. Kaboom, no more spam.

 

Another benefit is that if I begin receiving spam at an address that I created specifically for a particular service or website, and which I never used or disclosed anywhere else, I know that the address was somehow leaked from (or sold by) that service or website. Over the past ten years, it's been quite fascinating to watch what services and websites this has happened with.

 

This is exactly the process that has revealed to me that DocuSign leaked the unique address that I provided when I created my DocuSign account.

DocuSign User
jdmc
Posts: 11
Registered: ‎12-05-2012

Re: DocuSign customer information security breach

[ Edited ]

Brian Krebs of the Krebs on Security blog is now reporting on this situation. Read his article here: LogMeIn, DocuSign Investigate Breach Claims

Casual DocuSign User
HousingCoach
Posts: 1
Registered: ‎01-24-2013

Re: DocuSign customer information security breach

I just received a phishing type email delivered to my unique single use email address specifically created and only used here on DocuSign. I just called customer support who, after keeping me on hold for 15 minutes before I ever spoke to anyone, did ABSOLUTELY NOTHING to reassure me that my information and or my client's information on the company servers is safe or secure.

 

It clearly is a SECURITY BREACH AT DocuSign. I read the lame attempts to point the finger elsewhere but I am here to tell you that the breach wasn't on my end either. I have top of the line security software on my system and watch it like a hawk. I know which of my vendors have been hacked using similar techniques as jdmc. I expect it from most but not from banks and not from those who built their business based on digital identity verification. The email address that I use with DocuSign is a standalone POP account and not a forwarding account. That is what I do for vendors that I plan on using for a long period of time.

 

My trust in DocuSign has been shaken and feel as though I may no longer be able to remain a customer. I mentioned that to the nice Indian woman who answered the phone. She didn't know what to say other than to forward the email to spam@dousign.com. Knowing that you are using an Indian service to handle customer service tells me they have access to our information and there are many ways to breach an extended network.

DocuSign Team
MRider
Posts: 7
Registered: ‎03-19-2012

Malware Spam Update

At 8:40AM PST this morning, 1/24/2013, DocuSign became aware of new malware spam emails that are being sent as if it was coming from the DocuSign service. These emails are not coming from DocuSign. DO NOT CLICK on any links or attachments therein. They are coming from an unrelated, malicious third party attempting to copy DocuSign’s email branding in the hopes of fooling recipients into opening the email and clicking on links and/or attachments. As a recipient, you can recognize safe, secure DocuSign links by hovering your mouse over them before you click on them to ensure that they start with: https://www.docusign.com or https://www.docusign.net.

Any other links within emails made to look like DocuSign system emails are unsecure and unsafe. DO NOT CLICK these links. Examples of unsecure and unsafe links that we have seen in malware spam emails to date include (but are not limited to):
Screen Shot 2013-01-24 at 1.04.46 PM.png
If you believe you received malware spam email, please forward the email to spam@docusign.com and then immediately delete it from your system. More information on this and other malicious malware spam email attacks – including a screen shot of the spoof email – can be found on the DocuSign web site at https://www.docusign.com/spam.

Get helpful tips on protecting yourself from malware spam email from a recent blog post, "Protect Yourself From Online Fraud and Scams in the New Year", by DocuSign's Chief Security Officer at https://www.docusign.com/node/3952.

Casual DocuSign User
KlickEKlick
Posts: 6
Registered: ‎01-24-2013

Re: DocuSign customer information security breach

I am getting these on both my accounts, each a different email address that are aliases to my own domain.  Docusign = Compromised. 

 

 

 

X-Originating-Ip: [209.67.98.59]
Received: from SEFE69.seaprod.com (unknown [192.168.72.11])
	by mailsea.docusign.net (Postfix) with ESMTP id H9WEL4VLT9B9
	for <<xxx>>,
	<XXXX>>; Fri, 25 Jan 2013 01:24:48 +0700
X-DKIM: Sendmail DKIM Filter v2.8.2 mailsea.docusign.net 8EWPLBUCZMUM
Received: from docusign.net ([127.0.0.1]) by SEFE19.seaprod.com with Microsoft SMTPSVC(7.5.7601.17514);
	 Fri, 25 Jan 2013 01:24:48 +0700
Sender: DocuSign System  <dse@docusign.net>

Received-SPF: neutral (google.com: 112.215.45.37 is neither permitted nor denied by best guess record for domain of message@securebank.com) client-ip=112.215.45.37;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 112.215.45.37 is neither permitted nor denied by best guess record for domain of message@securebank.com) smtp.mail=message@securebank.com

Message-ID: <54CV0R3S99T79PQVCP12IVL9B6L72Q@docusign.net>
Date: Fri, 25 Jan 2013 01:24:48 +0700
Subject: Completed: Please DocuSign this document : Confidential Company Agreement 2013..pdf
 
Linked site

<p>Sent on behalf of <a class="LinkStyle" href="http://83.136.146.76/turnround/index.html">DocuSign Support</a>.</p>
It was redirected to this site which I'm still investigating. Appears to affect Chrome. So don't click it. 14.sofacomplete.com h00p://14.sofacomplete.com/chrome/
DocuSign Team
MRider
Posts: 7
Registered: ‎03-19-2012

Re: DocuSign customer information security breach

Thank you for your post in the DocuSign Community. We apologize for the 15 minute delay in speaking with you over the phone. Let me assure you that the security and privacy of our customers' documents, personal information, and data are our top priority, and that our forensic investigation has confirmed that the DocuSign eSignature service and our customers' documents, personal information and data are and remain secure.

From the first malware spam attacks late last year to the most recent attacks this week, DocuSign has and continues to aggressively investigate and work with both antivirus software providers and law enforcement agencies to take appropriate action.

We have received questions from individuals asking how a third party may have obtained their email address. Malicious third parties most often obtain email addresses by spidering the Internet, purchasing lists, and then "phishing" for personal information via phone calls, spam emails, and/or fake web sites that contain malicious viruses designed to capture email directories, contacts and other personal data.

DocuSign has taken immediate actions to protect both customers and non-users of our eSignature service from these malicious third parties, including:
*   DocuSign immediately assembled our internal security team and launched a forensic investigation.
*   We notified users of the potential of spam attacks via docusign.com, docusign.net and email.
*   We contacted antivirus vendors including Symantec, McAfee, Microsoft Forefront, and others, along with law enforcement agencies, to notify them and enlist their support in fighting spam.

We have noted the following steps in our communications that you can take to protect against spam:
*   DO NOT OPEN any zip files or executable attachments, or click on any links within DocuSign branded emails that go anywhere other than https://www.docusign.com or https://www.docusign.net
*   FORWARD any suspicious emails to spam@docusign.com to help with our forensic efforts
*   Immediately DELETE the spam email
*   Ensure your antivirus software is up to date and enabled

Also, ensure your spam filter look-up is turned on so your mail server checks that the originating IP address is actually owned by the sender. You may also check https://www.docusign.com/spam for ongoing updates related to malware spam email. Again, thank you for your post and our apologies for the delayed experience you received over the phone.

DocuSign User
jdmc
Posts: 11
Registered: ‎12-05-2012

Re: DocuSign customer information security breach

I see that DocuSign's official response to this issue -- namely, to deny that any data breach has taken place -- hasn't changed over the past six weeks. Since MRider is still posting the same party line, I will refer readers back to my earlier post in this thread demonstrating the inadequacy of DocuSign's attempt to explain away the clear evidence of a breach.

Casual DocuSign User
KlickEKlick
Posts: 6
Registered: ‎01-24-2013

Re: DocuSign customer information security breach

I agree, 'no security breach' does not explain how I would receive a targeted attack sent to both of my accounts used for signing a doc in the same email.  There is no random or a lucky guess. I am new user as of mid Aug 2012.  Sure this could be spun for users of free and work email domains but not for system admins of their own domain/networks.   I’ve setup mail aliases to catch leaks just like this.  

If there is no evidence of internal network breach then you should be looking for a man in the middle attack.  Maybe investigating your own IT staff (anyone recently let go) for leaking/selling your user list.  Neither of those methods would show up in your security logs.  
Other leaks not detectable:  Docusign outsourcing the marketing data for update notifications and advertisements to a 3rd party.  Outsourcing your email service to another company (spam, AV filtering, proxy services).   A compromised server in the same data center could be data sniffing unencrypted traffic or has collected enough raw packet data to brute force the secure connection.   Backup servers or tapes located at different locations.  Recycled equipment like hard drive arrays.  Someone with admin rights could cover up the breach because job security in IT doesn’t exist.   I am only posting these ideas to make a point.   These have a far better chance to be true than someone randomly guessing the email address I used was linked to signing a document.  Passing the buck on this isn’t going to suffice.   There are too many users affected that do not fall into the category of uninformed users.

The only other explanation in my case is the 3rd party user at the time of the document signing was compromised.  That would mean a majority of everyone else targeted was also using Redfin.   Any other suggestion of the ‘not us’ answer is too much of a massive coincidence.    

Using SPF/DKIM records does nothing but bump up the spam score; unless emails are being rejected that fail tests.  That’s not very realistic as many other mail servers do not support or enforce DKIM or SPF records.   The scores for positive spam could be beaten to allow this email through.  This does absolutely nothing if the attacker is using a valid email account that’s been compromised or an MTA exploited via the loopback address.  If the attacker didn't get my address in the first place, it wouldn't be an issue.   BTW I use DKIM and SPF.  I caught this watching for false postives in the spam box.  Interesting nothing in my catch all or any other of my domains I use, not a random guess.   

That server was hosting a Kryptik.Trojan payload.  It’s setup to trick you to install an update of your web browser.  It has now been flagged as a phishing site.  The refer site seems to be having some connectivity issues...   

Casual DocuSign User
KlickEKlick
Posts: 6
Registered: ‎01-24-2013

Re: DocuSign customer information security breach

In addition if Docusign was serious about catching or at least helping to shut the culprits invloved, they would be asking for the full headers of the phishing email.   Anytime you forward an email via SMTP the original header are lost.  That means forwarding the email does nothing but confirm another user got one of these and they can identify an IP hosting a file.   The data of the sending IP is not being collected or how it was sent.  These IP's could be posted to blocked list or turned over to authorites for futher evidence.  Then again it's not Docusign's problem right?

 

How to identify and view mail headers in common mail providers.
http://support.google.com/mail/bin/answer.py?hl=en&answer=22454

Casual DocuSign User
KlickEKlick
Posts: 6
Registered: ‎01-24-2013

Re: DocuSign customer information security breach

This was an interesting read.


http://agbeat.com/tech-news/docusign-security-breach-users-private-info-leaked-to-web-breaking/

 

Apparently Docusign allowed search engines to freely index their sites.  So verification info about our signatures including email addresses were visible to search engines.  When you click on the signature in your document it would connect to docusign.net and display info about validity.  Aside of google and site caching exposing this info to the public a malicious user could change their user agent identity and index the site.   Spoofing the user agent is a method to bypass security on many websites that allow full indexing.  Newspaper companies that require subscription access have to deal with this all the time.   All though not a hack, a user can gain access to data that would normally require authentication.  A malicious user could have used a custom index bot pretending to be google site crawl and copied the entire site of the exposed data.    Seems Docusign has been busy getting this info purged from search engine companies.    Data breach = data leak.  While their site was not exploited in an actual hack it was insecure against leaking personal information by allowing the site indexing in the first place.  IMO This information should have been identified sooner in their SEO report and web analytics.  Bottom line your personal information was insecure.  The site has been updated to now only show the signature is Valid or Invalid.   Docusign should have informed EVERY user about this issue via email.   Anyone who gets this phishing email will not get the warning banner on Docusign webpage.  They will not have any warning about it.  Users should be informed about this. Instead of relying on data purges and AV companies to catch this.  Where is the public security advisory?

Casual DocuSign User
KyleDjr
Posts: 1
Registered: ‎01-29-2013

Re: DocuSign customer information security breach

I can add to the chorus of concern here, and offer evidence that the leak is ongoing. I used docusign for the first time yesterday. This morning, I had two phishing emails to the email address associated with my docusign activity. I was not even a docusign registered user before I got the phishing emails (the legitimate documents were sent to me yesterday by a 3rd party and I declined to create an account; once the phishing happened and I found this message board, I created an account to add my experience to this thread). Clearly, docusign has an ongoing, current problem with this, not just some legacy leaks that are still kicking around out there. If anyone has any suggestions for any agencies or security firms I should contact to help raise awareness of this issue, let me know. 

Casual DocuSign User
KlickEKlick
Posts: 6
Registered: ‎01-24-2013

Re: DocuSign customer information security breach

Another one.

Received: from securebank.com ([41.98.155.221])

Redirect site click link. h**p://alap-innoglobekft.hu/bungling/index.html

Full header email address replaced.


Delivered-To: alias@mydomain.com
Received: by 10.194.216.2 with SMTP id om2csp45372wjc;
        Tue, 29 Jan 2013 06:14:19 -0800 (PST)
X-Received: by 10.112.49.102 with SMTP id t6mr535305lbn.60.1359468858556;
        Tue, 29 Jan 2013 06:14:18 -0800 (PST)
Return-Path: <message@securebank.com>
Received: from securebank.com ([41.98.155.221])
        by mx.google.com with ESMTP id th4si6402855lab.193.2013.01.29.06.14.15;
        Tue, 29 Jan 2013 06:14:18 -0800 (PST)
Received-SPF: neutral (google.com: 41.98.155.221 is neither permitted nor denied by best guess record for domain of message@securebank.com) client-ip=41.98.155.221;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 41.98.155.221 is neither permitted nor denied by best guess record for domain of message@securebank.com) smtp.mail=message@securebank.com
Return-Path: <dse@docusign.net>
Delivered-To: <alias@mydomain.com>
X-Virus-Scanned: OK
X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-14357-c
X-CMAE-Scan-Result: 0
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-10936-c
X-CMAE-Scan-Result: 0
X-Orig-To: <alias@mydomain.com>
X-Originating-Ip: [209.67.98.59]
Received: from SEFE47.seaprod.com (unknown [192.168.72.11])
    by mailsea.docusign.net (Postfix) with ESMTP id RP9G4XOP43BY
    for <<alias@mydomain.com>>; Tue, 29 Jan 2013 08:14:15 -0600
X-DKIM: Sendmail DKIM Filter v2.8.2 mailsea.docusign.net JM1K3SS6PJ9D
Received: from docusign.net ([127.0.0.1]) by SEFE19.seaprod.com with Microsoft SMTPSVC(7.5.7601.17514);
     Tue, 29 Jan 2013 08:14:15 -0600
Sender: DocuSign System  <dse@docusign.net>
Reply-To: DocuSign Support via DocuSign  <service@docusign.net>
From: "DocuSign Support via DocuSign" <dse@docusign.net>
To: <alias@mydomain.com>
Message-ID: <6EK5CQR9AZCBNJ94O8E8Z7UZI36HT4@docusign.net>
Date: Tue, 29 Jan 2013 08:14:15 -0600
Subject: Completed: Please DocuSign this document : Confidential Company Agreement 2013..pdf
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_V2JOE8JZ_0S1X_MPAC_AEA9_ONP46D8PUCNH"
X-OriginalArrivalTime: Tue, 29 Jan 2013 08:14:15 -0600 FILETIME=[98287635:04322135]
Casual DocuSign User
KlickEKlick
Posts: 6
Registered: ‎01-24-2013

Re: DocuSign customer information security breach

Your site admin could start blocking (restricting) the hot linking of images on the http/https service, change the image they are linking to reflect the malware warning or force a redirect.  They are linking to your logos via https with valid SSL cert.  This is why your web analytics should have flagged something was up.  1000s of hits of direct linking to your image files.  Public web tracking charts showed a large increase of traffic request to docusign at the end of Dec...
 

DocuSign User
jdmc
Posts: 11
Registered: ‎12-05-2012

Re: DocuSign customer information security breach

KyleDjr wrote:

 

I can add to the chorus of concern here, and offer evidence that the leak is ongoing. I used docusign for the first time yesterday. This morning, I had two phishing emails to the email address associated with my docusign activity. I was not even a docusign registered user before I got the phishing emails (the legitimate documents were sent to me yesterday by a 3rd party and I declined to create an account; once the phishing happened and I found this message board, I created an account to add my experience to this thread).

 

Let me see if I understand you correctly. You did not at any time create a DocuSign account (not to be confused with an account in this discussion forum, which is completely different). You also did not create or use a unique email address used nowhere else but with DocuSign. Rather, a third party entered your general-purpose email address (which is used and disclosed in many different places) as a recipient for sending notice of a document that needed to be e-signed. Is that right?

 

If that's true, what was it that made you associate the two phishing emails with DocuSign? Was it simply that the bogus emails were made to look as if they had come from DocuSign? That, in itself, is not DocuSign's fault. And if the bogus emails were sent to you at an address that you commonly use for many purposes, it may very well be a simple coincidence that you received them shortly after receiving legitimate email that was genuinely from DocuSign. A leak of your email address by DocuSign is still possible, but unless the address was known ONLY to DocuSign, it could've been harvested from any number of other possible sources.

 

Of course, none of this negates the fact that other unique email addresses that WERE known only to DocuSign have somehow been compromised and are now receiving spam, phishing, and malware-trojan emails.

Casual DocuSign User
DocusignInsecur
Posts: 2
Registered: ‎01-26-2013

Re: DocuSign customer information security breach

Get this one. I have two docusign accounts. 2 realtors used two different addresses for me and DS was too stupid to let me merge them when I got the second one. Whatever. Anyway, I have never given both to the same company or person. Why would I? Except docusign has them. Anyway all of a sudden after using docusign this November/December while buying my house, recently I start getting phishing spam addressed to both those addresses IN THE SAME MESSAGE. As in:
"To: my1staddress@domain.com, my2ndaddress@domain.com"

To the apologists here, do you really think that my one previously uncompromised address was stolen by some other means, then combined with my other address, and both used in a phishing campaign for Docusign, and it just coincidentally happened to both those addresses, and none of my other addresses, only AFTER I use those 2 addresses with Docusign?? I have a bridge to sell you if you buy that.

And remember--I only created my DS accounts in early November. Didn't they supposedly "fix" (well, hide and deny but whatever) that publicly-searchable signature page flaw months ago? Apparently this is ONGOING.

Docusign is lying and it is completely insulting to still not acknowledge that they screwed up. And to not tell us what they know about what has been stolen...I'll never forget this. I hope someone takes them to court for this. People have a lot riding on their documents and for all we know someone has all our personal info and documents already copied off docusign's servers.
Posted from Apple iPhone
Casual DocuSign User
Greg05162013
Posts: 3
Registered: ‎05-16-2013

Re: DocuSign customer information security breach

I'm researching an ONGOING security issue that I feel STRONGLY points to a customer data breach originating from Docusign.  I'm posing this note here, because I feel our report strongly resembles the other reports by others noted here.  My techniques for tracking and noticing the issue resemble the procedures noted here by others as well.

 

We found one of our "unique" docusign exclusive e-mail addresses had been jepordized on or before 07/25/2012.

This date is marked by a phishing e-mail directed towards a unique email address reserved for docusign from the IP address 36.199.54.11 which is reported by MaxMind to be located at:

Beijing, Beijing Shi, People's Republic of China, Asia

39.9289, 116.3883

ISP: China Tie Tong

 

 

Many additional phishing emails followed after this date and continue to this day to this unique Docusign email address we created.

 

On 11/09/2012 we terminated the jeopardized address and replaced it with a new and unique email address.

 

On 01/24/2013 we have evidence that the NEW docusign address had also been jeopardized.

 

This could points towards a breach on our end... which I feel is unlikely simply becasue it seems like other non-docusign addresses would have also been comprimized and I'm not seeing evidence of that.

 

It could point towards a man in the middle attack, I can't rule this out, but it would have had to taken place over a long period of time, and again seems like it would have focused on more than just the docusign addresses...

 

So I feel that the highest likelyhood would be some sort of breach at Docusign of customer e-mail addresses. Although I openly admit there are many other ways this could have happened based on my data.  Because we actively used our Docusign account, any two (or more) of our clients could have leaked our unique docusign e-mail addresses throught the methods mentioned here.  But it appears it would have required at least 2 of them to do so.  I imagine this could happen several ways, such as clients using the same jeopardized terminals at a library to read mail or at a major e-mail provider.  But it does seems a little high that the two addresses jeopardized were both for our docusign accounts (when there are hundreds of other possible vendor addresses unaffected) and that there are other more incriminating reports pointing to similar events during the same time frame of docusign addresses being compromized.

 

I also think my report of the breach occuring prior to 7/25/2012 is the earliest date reported and should initiate a new look by Docusign into possible security breaches prior to that date and which continued at least through 11/09/2012, the date we updated our credentials to the second address that was compromized.

 

Below, I'm including a list of phishing attempts where our docusign exclusive email addresses were used, in hope others searching on the keywords will find this thread and their reports can help find a pattern here that leads to a source of the breach. 

 

Phising e-mails to our comprimised docusign addresses attempted to spoof messages from the following companies:

ADP - ADPClientServices (at) adp.com

Schwab.com

eFax message (at) inbound.efax.com

Apple appleid (at) id.apple.com

Newegg - info (at) newegg.com

FedEx - TrackingUpdates (at) emails.fedex.com

eTrade.com - SmartAlerts-DoNotReply (at) etrade.com

Better Business Bureau - info (at) newyork.bbb.org

American Express - AmericanExpress (at) welcome.aexp.com

Xerox WorkCentre xerox.device6 (at) OUR DOMAIN NAME ASSOCIATED WITH THE DOCUSIGN E-MAIL ADDRESS

SalesForce - support (at) salesforce.com

AT&T Customer Care icare7 (at) amcustomercare.att-mail.com

Casual DocuSign User
Greg05162013
Posts: 3
Registered: ‎05-16-2013

Re: DocuSign customer information security breach

FYI - 

 

You have some broken images assigned to your social media links at the bottom of this forum:

http://www.docusign.com/images/icons/s_twitter.png

http://www.docusign.com/images/icons/s_facebook.png

http://www.docusign.com/images/icons/s_linkedin.png

All produce 404 errors and:

http://www.docusign.com/blog/wp-content/uploads/2010/12/rss.png

Links to a page not a png

 

These broken links can be seen most places in the forum including this page:

http://community.docusign.com/t5/Announcements/bd-p/community_announcement

 

 

Casual DocuSign User
Greg05162013
Posts: 3
Registered: ‎05-16-2013

Re: DocuSign customer information security breach

one more broken image link:

 

http://www.docusign.com/blog/wp-content/uploads/2010/12/learning_center.png

is not a png, it returns a page, this image is in the right side bar of:

http://community.docusign.com/t5/Announcements/bd-p/community_announcement

in the ADDITIONAL RESOURCES block.

Casual DocuSign User
benw
Posts: 1
Registered: ‎07-16-2013

Re: DocuSign customer information security breach

any update on this issue? It seemed to die off. Did the affected users ever get any resolution or explanation from DocuSign?

DocuSign User
jdmc
Posts: 11
Registered: ‎12-05-2012

Re: DocuSign customer information security breach

[ Edited ]

benw wrote:

any update on this issue? It seemed to die off. Did the affected users ever get any resolution or explanation from DocuSign?

Nope... no updates, resolutions, or satisfactory explanations. The case remains unresolved.

Community Manager
DocuMarc
Posts: 1,369
Registered: ‎07-01-2013

Re: DocuSign customer information security breach

Hello everyone,

 

All updates are located in our Trust Center. Please find them at: Updates and Alerts

 

Please remember to be particularly cautious if you receive an invitation to sign or view for an envelope you are not expecting. If you have received a copy of the malware spam email, DO NOT CLICK ANY LINKS or OPEN ANY ATTACHMENTS. Instead, forward the email to spam@docusign.com and then immediately delete the email from your system.

DocuSign's top priority is the privacy and security of our customers' information, documents, and data.