E-signature company Docsketch has just disclosed a security breach involving customer data, reported ZDNet. The incident, which happened back in August, was due to unauthorized access by a third party.
The company sent an email notification to users telling them about the security breach. According to the email, the unauthorized party accessed a database copy containing important information about users.
The file shows a snapshot of the service date July 9, 2020. Technadu explained that users who used Docsketch before this date have had their info compromised, while those who used the service after the date are safe.
As per ZDNet, who was able to see the email, the database “contained contact information and form fields related to documents filled out by users and users’ recipients.”
No number of users affected was disclosed, but it is important to note that the service is ranked in the Alexa Top 25,000 most popular websites.
Founder Ruben Gamez clarified that the attackers were not able to access the documents themselves. However, they were able to view the information provided by users and recipients while filling out the document.
This means that names, signatures, payment card details, login information, contacts, and other sensitive information could be compromised.
While Gamez admitted that passwords were also exposed, Docsketch explained that it uses password strings that are “salted and hashed.” The extent of the salting and hashing system was not clear and was not discussed.
ZDNet pointed out that these some salting and hashing techniques can be cracked “under certain conditions to reveal original plaintext passwords.”
For customers who were affected, Docsketch published a set of instructions to help prevent malicious actors from taking advantage of the situation.
According to its website, those who believe that their credit card information is compromised, they should “review [their] credit card statements for the affected credit card and look for unauthorized transactions.” They are also advised to consider freezing the account.
For social security numbers, a review of their credit report and a security freeze are advised. The company referred possibly affected individuals to credit reporting firms and fraud alert agencies.
Meanwhile, Gamez said that the company’s systems have already been secured and updated after the attack. He added, “We’re still working out the details but rest assured this is our top priority and we’re going to continue making significant security and infrastructure updates.”