DocuSign, a provider of electronic signature technology, confirmed Tuesday (May 16) that a series of malware phishing attacks targeting its customers was the result of a data breach at the company.
According to a report in KrebsOnSecurity, the San Francisco–based company said the data that was stolen was only user email addresses. Earlier in the month, DocuSign said it was tracking a malicious email campaign and that the email was not associated with the company. In an update this week, DocuSign changed its tune, saying a third party was able to send the malicious email to its customers and users because its computers had been hacked, noted the report.
“As part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary access to a separate, non-core system that allows us to communicate service-related announcements to users via email,” DocuSign wrote in an alert posted to its site, reported Krebs. “A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, Social Security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.”
The company went on to warn users that if they receive an email from DocuSign recently to not respond to it or click on the link in the message. The company said when in doubt access documents directly from the website and enter a unique security code that is included at the bottom of real DocuSign email. DocuSign said it never asks recipients to open a PDF, Office document or zip file in an email. Krebs noted that DocuSign was already a target for hackers, but the recent incident will likely result in an uptick in the number of attacks against the company’s users and customers.