DocuSign, a leading US-based digital signature company, has confirmed a malicious hacker was able to gain "temporary access" to its computer networks and access customer email addresses, later using them to target a slew of its users with an email phishing scam.
In a security update this week (16 May), the firm said that only email addresses were stolen, adding that "no names, physical addresses, passwords, social security numbers, credit card data or other information" were accessed by the hacker. It said its core systems remain secure.
In a series of updates to users, beginning on 9 May, DocuSign said it was tracking a malicious email campaign that was trying to get victims to click on a Microsoft Word attachment, designed to trick the recipient into allowing the spread of what is known as "macro-enabled-malware".
Using the company's "eSignature" system as a lure, the emails attempted to trick victims by posing as an accounting invoice that needed to be signed.
It remains unclear what type of malware the hacker was attempting to spread. Now, the firm is urging anyone who receives an email to forward it to firstname.lastname@example.org and then delete it.
"These emails are not associated with DocuSign," the company said in its security update.
It continued: "They originate from a malicious third-party using DocuSign branding in the headers and body of the email. The emails are sent from non-DocuSign-related domains.
"Please remember to be particularly cautious if you receive an invitation to sign or view a document you are not expecting. If you have received a copy of the [...] email, do not open any attachments."
DocuSign said additional security has been put in place, but did not elaborate further. On its website, it claims to have more than 200 million users in over 180 countries. It has not yet revealed how many email addresses were compromised in the breach.
It added US law enforcement is now probing the incident. The firm maintained that "no content or any customer documents sent through DocuSign's eSignature system was accessed and DocuSign's core eSignature service, envelopes and customer documents and data remain secure."
"Malicious email attachments are a critical threat as they can easily bypass traditional defences as part of sophisticated spearphishing attacks," said Steven Malone, director of security product management at cloud services enterprise Mimecast, in a statement via email.
"DocuSign customers need to be extra vigilant when opening any documents purporting to be from their service. Verify with the sender before opening any documents or clicking on any links. Criminals will try all manner of ways to trick employees into enabling macros," he added.
Cybersecurity expert Brian Krebs, in an article about the leak, said the incident is "likely to intensify attacks against its users and customers".
He added: "It seems all but certain that the criminals who stole the company's customer email list are going to be putting it to nefarious use for some time to come."
You can see the full DocuSign security update page here.