"Meeting The Most Rigorous Security Standards In The World," DocuSign declares on its website. But everyone has bad days.
On Monday, the electronic document-signing startup announced that hackers stole a list of email addresses belonging to its customers and their contacts, which are now being used in widespread phishing attempts. The number of email addresses is still unclear. According to that was compromised:DocuSign, "Right now we are still acting on the results of our ongoing investigation and cannot comment on those details." The company maintains that email addresses are the only information
[T]oday we confirmed that a malicious third party had gained temporary access to a separate, non-core communication system used for service-related announcements that contained a list of email addresses. A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. [Emphasis in original.]
DocuSign reiterated in an update, "No content or any customer documents sent through DocuSign's eSignature system was [sic] accessed. DocuSign's core eSignature service, envelopes and customer documents and data remain secure." The company cautioned customers to be extra-cautious about emails emblazoned with DocuSign branding, and instructed, "Forward any suspicious emails related to DocuSign to firstname.lastname@example.org, and then delete them from your computer."
Breaches are not uncommon. This one could be much worse, since your email address is a relatively public piece of information. Security expert Troy Hunt, who runs a service that alerts people when their account details are exposed, wrote on his blog, "The whole point of an email address is that you share it with other people -- that's how you get emails sent to it! Email addresses are also readily discoverable via various online channels, both legitimate and a bit shadier. It's usually a trivial affair to track down someone's address because after all, that's how you get in touch with them!"
However, because of the sensitive nature of the information that passes through DocuSign, an incident like this might dent its brand more than it would others. Confidential contracts and medical documents are circulated and signed via DocuSign -- if the hackers had been able to access any metadata about the types of documents or filenames associated with each email address, that would be much worse. Even given the minor impact, customer trust in DocuSign will naturally take a hit, and presumably a few of those phishing emails will hit their marks.