Industry News

DocuSign admits hackers accessed its customer email database, sent out malware

If you ever work on contracts with other companies there is a good chance you will have found yourself signing a document electronically, and if that’s the case there’s a good chance you will have used the DocuSign digital signature service. You may not have even used the service so often that you barely think twice before clicking on links that the company sends to you.

The truth is, however, that you might be wiser to show more caution.



Earlier this month DocuSign detected that some of its customers and users were receiving emails purporting to come from the company, attempting to trick recipients into clicking on an attached Word document that would install malware.

The emails had subject lines like:

“Completed: [domain name] – Wire Transfer Instructions for [recipient name] Document Ready for Signature”


“Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature”

So far, so not very unusual. It sounds like the usual story of online criminals forging email headers and spamming out malware posing as a legitimate communication.

But the story has become more serious, as DocuSign has now discovered that hackers managed to breach its systems and gain access to a system that allowed the attackers to send out emails to DocuSign’s customers.

“…today we confirmed that a malicious third party had gained temporary access to a separate, non-core system that allows us to communicate service-related announcements to users via email. A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.”

“In short, the malicious emails pretending to come from DocuSign were sent by an unauthorised third-party who had accessed email addresses via one of DocuSign’s non-core systems. The hackers then sent out phishing emails to those email addresses.”

DocuSign is asking users who have received suspicious emails to forward them to, before deleting them from their inbox.

The company is also underlining that it will never ask recipients to open a PDF, Word document or ZIP file attachment in an email.

Of course, following the breach your email address has fallen into the hands of hackers. They may use that to send you fraudulent emails designed to infect your computer with malware or steal your credentials, or they may even sell it on to other criminal gangs.

Keep your wits about you, and always be careful about clicking on unsolicited email attachments – even if it does appear to have been sent to you by a legitimate business.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.