Docusign -- a breach? Or just phishing?

439 words, 2 mins

UPDATE 2: Docusign have finally admitted that they have had a data breach: Docusign Community (although you’ll be hard pushed to find it if you were desperately trying to find information).

UPDATE: seems Docusign have been forced to come clean at KrebsOnSecurity.

My landlord usually sends us the tenancy agreement to sign using a service called Docusign. Docusign allows people to provide a legal signature for a document via an online website.

Within an hour of receiving the email with the link to sign the document at Docusign, I received three more emails, looking very like the first one, complete with Security Key. My partner also received these emails. Each batch of emails seemed to relate to the same (fake) name (Cameron Smith, Matthew Moore, William Collins, Kevin Moore) and the subject on all them was “Wire Transfer Ready for Signature”.

Looking closely though, it was clear that the links on the other emails were to a ‘hacked’ website. Looking through the code, it would have downloaded scripts that would have exposed my computer to malware.

I went to the Docusign website, the their forums, to find that I was not the only one with this problem. But the response from Docusign was that this was simply a phishing email and we should ignore it and delete it. I pointed out that it was a considerable coincidence that the phishing emails arrived very shortly after the real email and were sent to the same email address. (I have half dozen email addresses, the only one to receive the phishing emails was the one registered with Docusign).

Others on the forums were also concerned, some of them created unique emails for their Docusign account. It was becoming pretty clear that this was more than random emails being sent out, in fact it appeared that Docusign’s system had been hacked.

I went to post some more observations, but my posts no longer showed up. In fact the thread was closed and move to “Solved”. Other posts started to appear, they all received a similar response: “this is a phishing email, delete it and move on”. I’ve been trying to post on other threads but I seem to be blocked.

The problem is that Docusign is based in California, USA and there are quite strict laws there as to disclosing breaches. So it’s understandable that they don’t want too much publicity. But Docusign base their business on trust. They store clients legally binding signatures as well as email addresses and other personal/private information.

They also use an SSL certificate that throws errors on some browsers… :(