DocuSign

Today, DocuSign — a provider of e-signature technology — acknowledged a data breach incident following which a third-party managed to gain access to the email addresses of its customers, data that it's now using in massive spam campaigns.

[A]s part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary access to a separate, non-core system that allows us to communicate service-related announcements to users via email. A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.

The company discovered the data breach after in the last two weeks they continued to detect spam campaigns targeting clients. All emails used official branding and were made to look like real DocuSign emails.

Crooks leveraged data for two spam campaigns already

According to alerts posted in the DocuSign Trust Center, the biggest and notable spam campaigns took place on May 9 and 15.

The company is now advising customers to deleted any emails with the following subject lines, used in the two spam campaigns.

  • Completed: [domain name]  – Wire transfer for recipient-name Document Ready for Signature
  • Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature

All emails with these messages contain Word documents as attachments, which when opened try to trick users into activating Microsoft Word's macro feature. If this feature is allowed to execute, the Word macro functions embedded in the Word document will download and install malware on the victim's computer.

New spam campaigns will follow

DocuSign is now informing customers that their emails were exposed in an attempt to raise awareness and mitigate any further spam campaigns that might target its userbase.

DocuSign engineers would like customers to forward any suspicious emails they receive to spam@docusign.com, so the company's security team could analyze emerging threats.