Image

"...[T]oday we confirmed that a malicious third party had gained temporary access to a separate, non-core system that allows us to communicate service-related announcements to users via email. A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure."It's a good thing the breach didn't affect customers' more sensitive information. But bad actors can still do a lot with stolen email addresses. Worst of all, they can abuse them to conduct secondary attacks. DocuSign has already detected one such follow-up campaign. The offensive begins when a customer receives what appears to be an email from DocuSign requesting their signature for an accounting invoice. There's just one problem: although it exhibits company branding, the email is a fake. In actuality, it's a means of spreading a malicious Word document that's capable of downloading banking malware onto a customer's machine.
Image
