Some DocuSign users began receiving phishing emails after hackers temporarily breached a company database base containing customer email addresses, and the electronic signature service is advising customers to take specific steps to ensure the security of their systems.
"Some DocuSign users began receiving phishing emails after hackers temporarily breached a company database containing customer email addresses, and the electronic signature service is advising customers to take specific steps to ensure the security of their systems," DocuSign said.
DocuSign said its core eSignature service, envelopes and customer documents and data remain secure. DocuSign also said it has put additional security controls in place and is working with law enforcement agencies. A Forbes report said the breach could have affected as many as 100 million email addresses.
“The emails ‘spoofed’ the DocuSign brand in an attempt to trick recipients into opening an attached Word document that, when clicked, installs malicious software,” DocSign Global Communications director Adrian Wainwright posted on the company’s website.
“However, as part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary access to a separate, non-core system that allows us to communicate service-related announcements to users via email. A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, Social Security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed,” Wainwright wrote.
There’s no indication that DocuSign’s breach is related to the WannaCry ransomware cyberattack that, thus far, has infected more than 300,000 computers in 150 countries.
DocuSign is advising customers to take the following steps:
-
Forward any suspicious emails related to DocuSign to [email protected], and then delete them from your computer. They may appear suspicious because you don’t recognize the sender, weren’t expecting a document to sign, contain misspellings (like “docusgn.com” without an ‘i’ or @docus.com), contain an attachment, or direct you to a link that starts with anything other than https://www.docusign.com or https://www.docusign.net
“Your trust and the security of your transactions, documents and data are our top priority. The DocuSign eSignature system remains secure, and you and your customers may continue to transact business through DocuSign with trust and confidence,” Wainwright wrote.
DocuSign has about 200 million users, a Reuters story said, and has 12 of the top 15 U.S. financial services companies as its clients.