
DocuSign email address database breached and used for phishing campaign - runesoerensen
https://trust.docusign.com/en-us/personal-safeguards/
======
graystevens
This is the exact reason I started building Breach Canary[0], so that
businesses can be alerted as soon as their user data is used in a way they
wouldn't expect it to be. We produce authentic users with real working email
addresses and phone numbers, so that as soon as they are contacted, you know
someone has a copy of your userbase and is using it for reason x.

We have already started seeing a tonne of DocuSign phishing emails as others
have mentioned. They were already a popular target for phishing users but now
with very realistic documents the users are expecting? Nightmare.

[0] [https://BreachCanary.com](https://BreachCanary.com)

~~~
Kiro
I presume canary is an established term in this context but since I don't know
what it is I don't understand your service. It sounds good though.

~~~
Loic
It is coming from the canary birds in the coal mines or in submarines[0]. They
have a higher sensibility to CO than humans. This is now part of the common
language to say that you sacrifice an animal or "something" to get early
warning of something possibly more dangerous.

[0]:
[https://en.wikipedia.org/wiki/Sentinel_species#Historical_ex...](https://en.wikipedia.org/wiki/Sentinel_species#Historical_examples)

~~~
amelius
Just wondering, what exactly is being sacrificed in this specific case?

~~~
kuro-kuris
It is artificial users when their data is used it means your privacy has been
breached. In a way a canary is not just a sacrifice but a transparent
sacrifice.

------
withinrafael
I'm not sure DocuSign has a full handle on what happened here yet. I received
six (6) DocuSign emails, half of which used a convincing subject derived from
actual DocuSign documents I have signed or processed through the system.
Perhaps a coincidence? Or these hackers gained access to more than just "email
addresses".

~~~
secfirstmd
Hmmm yes I have received a few and if I recall, some of them had titles very
similar to docusign documents I was previously sent.

Exact titles similar to this: "Accounting Invoice 630761 Document Ready for
Signature"

~~~
user5994461
The postmortem states that the phishing campaign used only a few patterns.

"Delete any emails with the subject line, “Completed: [domain name] – Wire
transfer for recipient-name Document Ready for Signature” and “Completed
[domain name/email address] – Accounting Invoice [Number] Document Ready for
Signature”. These emails are not from DocuSign. They were sent by a malicious
third party and contain a link to malware spam."

Did you received phishing with other subjects?

~~~
koolba
As a general rule, if you receive an email referencing wire transfers, it's
probably bogus.

~~~
adrianN
Given the ratio of spam to ham, as a general rule every email is probably
bogus.

~~~
Neliquat
Youd think that, but I never seem to get spam bug reports or feature requests.
Always sex, drugs or money related it seems.

~~~
nobodyorother
Now you've just given me new, horrifying, nightmares of the future.

\----

Feature Request: Your software does not make it easy to buy drugs, money, or
sex as buydrugsmoneyandsex-dot-com does. Please implement buydrugsmoneyandsex-
dot-com functionality by directing users to that website through our affiliate
link program: [http://preview.tinyurl.com/2tx](http://preview.tinyurl.com/2tx)

------
janwillemb
In my opinion they're doing well taking responsibility like this and
communicating honestly and openly. You can always disagree on how far the
openness should go, but I've seen far less openness and far less communication
(as in approaching zero), so they deserve some credit doing it this way.

------
KirinDave
Thanks Every Employer I've Had In the Past 6 Years For Putting My Email In A
Service I'd Never Want Otherwise.

Also Thanks Me for just using docusign w/ our employees when I was in charge.

~~~
Xylakant
I strictly started handing out "companyname@mypersonaldomain.tld" as email
when interacting with companies. That at least makes routing the inevitable
spam to the trash bin slightly easier when a breach occurs. It also provides
an indicator of who has (in)voluntarily given away my data.

~~~
c22
I've been doing this for awhile. It's especially interesting when giving it to
a representative in person, some people will refuse to enter it in their
systems. I've also had one webform reject it outright. Lately I've started
just using random words to get around this awkwardness and make my pattern
less predictable. When I get the first email from that company (often happens
within minutes) I just give it the actual company's name as an alias in my
client.

~~~
lorenzhs
AliExpress does this, they don't accept "aliexpress@foo.bar". I suppose it's
meant to stop you from providing "foo@aliexpress.com", implemented lazily by
rejecting anything that contains the substring "aliexpress".

Best response I've received when giving an email address of the form
"company@mydoma.in" to a representative in person was "oh you work here too?".
The concept of catch-all domains is so foreign to most laypeople that it takes
quite some explaining ("I get everything that's sent to any address at that
domain", "no it's not expensive at all", "it helps me automatically sort my
email").

~~~
wiredfool
A catchall on my domain was all fun and games till the second dictionary spam
run.

~~~
dspillett
I've heard that being a problem, though I've never had that issue using a sub-
domain for the catchall (company@sub.domain.tld).

Some sites refuse to accept email addresses with more than one "." after the
"@" but figure if they don't understand email addresses I don't want to trust
them with my details (even throw-away ones) anyway so go elsewhere.

~~~
linsomniac
Gmail allows you to do extension addresses like "myname+company@gmail.com",
which I've used since switching away from my own mail server where I did the
catch-all. Some places are rejecting "+" in the address though. I was trying
to give on to Dell and the tech I was talking to told me the system wouldn't
accept the address, but that the "+dell" was just an extension "so can I put
it in without that?"

The combination of them knowing that this was valid and just wanting to strip
off the extension kinda blew my mind for some reason.

------
gogopuppygogo
Looks like it took them about six days to figure out why their customers were
getting spammed. It'd be helpful if they could outline what the "non-core
system that allows us to communicate service-related announcements to users
via email" actually was. Was this a Mailchimp account that got hacked into or
did they have something they managed?

~~~
roemerb
I had the same impression. Pretty sure it was their MailChimp (or similar
service) account.

~~~
homero
Yeah or an api key leaked

------
closeparen
Emails and email addresses are _very_ different in the context of DocuSign.
The former includes the text of contracts. The latter is just a list of people
who have ever given or received a job offer.

~~~
cottsak
Sure they're different but make no mistake: emails being breached are a big
deal! This is an appropriate response
[https://twitter.com/troyhunt/status/864315287092342785](https://twitter.com/troyhunt/status/864315287092342785)

~~~
pmiller2
I fail to see how slightly wider dissemination of a bit of info I post
publicly on my profile at this very web site constitutes a privacy or security
risk to me.

~~~
tjoff
Well, that is you. Others just might be quite a bit more careful. Or is that
inconceivable for you?

------
annnnd
> Ensure your anti-virus software is enabled and up to date

Uh, really, endorsing antivirus? They could at least have written something
like "Ensure your system is properly secured" if they felt they need to stress
that out.

~~~
jrochkind1
And ~90% of the recipients would think "ensure my system is properly secured?
How the heck do I do that?"

~~~
rkeene2
Well, atleast now they are THINKING about how they might do that rather
relying on the mystical protection spell of antivirus which usually reduces
the security posture of the machine.

------
defined
Ok, they deserve credit for openness, definitely.

Is it just me that feels this way, or should they not also apologize for the
leak (which appears to have been from one of their systems)? I didn't see an
actual apology.

------
wjke2i9
It amazes me that Facebook allows you to get pgp encrypted emails delivered
from them[1], but docusign, a company whose only job is secure document
signing via secret links in an email, does not.

[1] [https://www.facebook.com/notes/protect-the-graph/securing-
em...](https://www.facebook.com/notes/protect-the-graph/securing-email-
communications-from-facebook/1611941762379302/)

------
marenkay
Been receiving fishing mails for this myself and I highly doubt this has just
been about email addresses, as the mail subjects contained titles of signed
documents.

------
westoque
Since there are now many occurrences of data breaches out there. I cannot
stress enough the importance of a password manager and diversify-ing your
passwords.

This one I learned from Troy Hunt and never looked back.

[https://www.troyhunt.com/only-secure-password-is-one-you-
can...](https://www.troyhunt.com/only-secure-password-is-one-you-cant/)

------
welpwelp
I did get an email from them which looked actually legit and opened it. It
redirected me to a 404.

Is there a chance I could've been compromised in any way? I'm guessing they
couldn't have gotten much more than my IP address, maybe some cookies, all my
passwords, private life?

------
rodionos
It's good to see major security issues featured on HN. As a consumer, I
typically react by resetting credentials, checking configurations etc. I'm not
involved in the IT security field so HN serves is one of the early warning
systems for me.

------
mariusmg
I've got a ton of these phishing email in the last week. They were all
pointing to a russian website. Pretty bad security fuckup by Docusign.

------
partycoder
The phishing emails had the color scheme changed, making them very phony and
easy to classify.

~~~
welpwelp
They still got me! :>

------
m103forme
I've been getting these fake DocuSign phishing emails for the last 2 weeks.

------
lihan
Are there more to email addresses that were leaked? how do we know they did
not?

------
logicallee
I would like to urge the Google team to solve one aspect of this problem,
forever.

It takes no more than 20 minutes to prototype and then approximately 1 day to
fully test the final solution that is necessary on their end to keep
compromised emails from being fully compromised addresses forever, without any
chance for you to ever know at any point in the future where mail REALLY comes
from. Here is a description:

1 - Currently they (Google) correctly do 99% by allowing you to type a + after
your email address to create a new inbox that is marked in a special way. For
example if your address is jsmith747@gmail.com then you can give the company
jsmith747+docusign@gmail.com when you sign up - that inbox goes to you and
when you start receicing spam in the future to "jsmith747+docusign" you can
tell how they got it. The phishing mails associated with this breach would
have gone to the same place.

2\. The one and only problem with this, which currently has a "security
through obscurity" solution, is that anyone can run a regex and remove
+docusign to get at the primary, main inbox: jsmith747@gmail.com

3\. The full and complete solution is to allow me to create a new inbox in
Gmail through a single step, for example "j45rsdfjdocusign" which is linked to
jsmith747 in a single direction. Sending mail is not necessary. This must be
enabled through the Gmail interface for signed-in users who wish to create a
new inbox. They must be able to generate an inbox there, which thereafter goes
to the inbox.

4\. Spammers have no way to programmatically get the original underlying
address when going through a list. When they get to j45rsdfjdocusign there is
no regex they can apply to get the original.

5\. If in the future j45rsdfjdocusign starts getting spammed, etc, you can add
a filter.

There's no special authentication around it, anyone signed into their inbox
should be able to do do it. They already have the infrastructure up for it
around their + coding shceme.

To emphasize how important it is, here is a comment from this thread:

>The phishing emails had the color scheme changed, making them very phony and
easy to classify.

Today. Under the current status quo, if in 48 months a much more legitimate-
looking mail is sent to any of the same addresses, none of the recipients have
any way to know the source of those addresses.

However, after solving this security issue, in 48 months anyone receiving even
a very convincing phishing email could know instantly "oh, that is that
compromised docusign account" \-- that is, if they haven't taken a moment to
redirect that inbox to the trash already via a filter.

I urge Google, who has very talented engineers, to implement the correct
solution today. Don't wait. You won't get a better example of how important
this is, than what's been going on. There are no policy implications as you
already do it via the + trick.

I hope you go the extra mile and add a small step to finish solving the
problem. Thank you.

~~~
pwg
> The full and complete solution is to allow me to create a new inbox in Gmail
> through a single step, for example "j45rsdfjdocusign" which is linked to
> jsmith747 in a single direction.

When hosting your own email on your own domain you get this benefit out of the
box now, without waiting for google to add it for you.

I've been doing this for years, each different company gets a unique email
address. Real easy to see who has lost track of their email database, and very
easy to turn off those that turn spammy as their business declines and they
get ever more desperate to generate sales from their existing "customer list"

~~~
JabavuAdams
That solves this one issue, but now you're fully responsible for your email
server's security. While this may be a feature for some, for the general
(developer) public, it's a bug.

~~~
glenneroo
Many cheap hosting services offer catch-all email option for your domains, and
my own experiences using various services says it's generally included in the
price i.e. "free".

------
aerovistae
Wow, I just signed up for this today. Unbelievable. The timing.

------
Kenji
>The emails “spoofed” the DocuSign brand in an attempt to trick recipients
into opening an attached Word document that, when clicked, installs malicious
software.

I love how nothing changed about this malware payload delivery in about 2
decades.

