Alerts and updates
-
04/06/2018
To ensure smooth DocuSign support deprecation for TLSv1.0, we have changed the effective date for this change. DocuSign will end TLSv1.0 support effective June 25, 2018. Please refer to the original end of support notice for further details.
Visit DocuSign’s System Requirements page for information about browsers supported by DocuSign. These browsers will continue to work after the change.
-
03/22/2018
DocuSign has observed a new phishing campaign that began the morning of March 22nd, 2018 (Pacific Time). The email purports to come from DocuSign using the email addresses [email protected] and [email protected]. The emails all have the subject:
"You have received a secure document"
These emails contain a malicious Word document as an attachment, 9S659EHDCSI72649DS.doc.These emails are not sent from DocuSign. Do not open the attachment in these emails, instead please forward them to [email protected] and then delete the email immediately.
For more information on how to spot phishing please see our Combating Phishing white paper (3.3 MB)
-
03/16/2018
Following industry best practices, DocuSign will end TLSv1.0 support effective June 30, 2018 June 25, 2018. This date aligns with the deadline the PCI Security Standards Council has set for companies that wish to remain PCI Data Security Standard (PCI DSS) compliant. Other leading SaaS vendors, including Salesforce, Box, and PayPal, plan to end support for TLSv1.0 in June.
More information is available here: https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tlsIn addition to retiring the insecure TLSv1.0 protocol, we will also remove a set of cipher suites which are no longer considered secure. This includes ciphers such as 3DES along with a few others that have an insufficient key length to securely encrypt communications.
The ciphers to be retired include the following:
· TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
· TLS_RSA_WITH_3DES_EDE_CBC_SHA
· TLS_RSA_WITH_AES_256_GCM_SHA384
· TLS_RSA_WITH_AES_256_CBC_SHA256
· TLS_RSA_WITH_AES_256_CBC_SHA
· TLS_RSA_WITH_AES_128_GCM_SHA256
· TLS_RSA_WITH_AES_128_CBC_SHA256
· TLS_RSA_WITH_AES_128_CBC_SHA
TLSv1.0 and these cipher suites are utilized by a small set of customers to support legacy integrations. These integrations will need to be updated to support secure, modern ciphers and is often as easy as recompiling the solution with updated libraries. The PCI Security Standards Council has published detailed guidance for migration from SSL/early TLS. It is available here: www.pcisecuritystandards.org/documents/Migrating-from-SSL-Early-TLS-Info-Supp-v1_1.pdf
All internet browsers currently supported by DocuSign already default to newer versions of TLS, so this change will go unnoticed by web and mobile users. Please contact DocuSign support with additional questions.
-
03/06/2018
DocuSign has observed a new phishing campaign that began the morning of March 6th, 2018 (Pacific Time). The email purports to come from "DocuSign Electronic Signature and Invoice" using the email addresses [email protected] and [email protected]. The emails all have the subjects:
You received / got invoice from DocuSign Signature Service / DocuSign Electronic Signature Service / DocuSign Service
These emails contain links to a malicious Word document. This emails are not sent from DocuSign. Do not click the links in these emails, instead please forward them to [email protected] and then delete the email immediately.For more information on how to spot phishing please see our Combating Phishing white paper (3.3 MB)
-
02/28/2018
On February 27th, CERT released details about a SAML vulnerability affecting some libraries which may allow an attacker to perform an authentication bypass. More details are available here: https://www.kb.cert.org/vuls/id/475445
Our security and identity teams immediately investigated this issue in our applications and have confirmed that none of our SAML implementations are vulnerable to this attack.
-
02/08/2018
DocuSign has addressed the Spectre and Meltdown vulnerabilities across our service, protecting customers from potential exploitation. Engineering teams have carefully monitored and measured performance during the rollout of these patches and no measurable service degradation has been encountered. Our incident response teams have not seen any indication of attempts to exploit these issues.
If and when additional patches become available from vendors we will use the same strategy to test, measure and deploy to our service. Providing customers with a secure and reliable service is our top priority at DocuSign.
-
01/31/2018
DocuSign has observed a new phishing campaign that began the morning of January 31, 2017 (Pacific Time).
The email purports to come from "Docusign Inc." using the email address [email protected] with the subject “Your document Receipt <numbers> for <name> is ready for signature!”. The email contains a link to a malicious Word document. This email is not sent from DocuSign. Do not click the link in this email, instead please forward it to [email protected] and then delete the email immediately.
For more information on how to spot phishing please see our Combating Phishing white paper (3.3 MB).
-
01/12/2018
Our security and engineering teams have completed validation testing and have been actively rolling out patches to address the Meltdown and Spectre vulnerabilities across all of our environments. We have taken a methodical approach to remediation using a canary system with telemetry and monitoring as a guide to ensure customers continue to have a stable, performant and secure experience on our platform.
DocuSign has prioritized and remediated devices in a deliberate manner using a risk based approach working diligently over the past week and patching the vast majority of our infrastructure. Next steps are to continue remediation for all remaining devices and as additional vendor patches become available we will continue testing and deploying in the same manner.
Our Incident Response team continuously monitors our systems for any evidence of attempts to exploit vulnerabilities such as 'Spectre' and 'Meltdown' and we have seen no indications of attempts to target our platforms using these vulnerabilities.
-
01/04/2018
On January 4th three information security vulnerabilities were released, CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754, which exploit critical vulnerabilities in modern processors. These hardware bugs, known as Meltdown and Spectre, allow an application unauthorized access to read system memory.
Upon learning of these vulnerabilities, DocuSign initiated incident response procedures to ensure the security of the company’s servers, core systems and online properties. We have reviewed all of our sites and supporting infrastructure to identify systems which require patching. DocuSign’s operations team is actively testing these updates in non-production environments and, once this is complete, will roll these updates out to our production servers.
In addition, DocuSign has identified a number of partners who may be affected by these vulnerabilities and are working closely with them to ensure their systems are updated as quickly as possible.
DocuSign will continue to monitor the status of the situation and provide updates as needed.
For more information, you can reference: https://spectreattack.com/
-
12/05/2017
DocuSign has observed a new phishing campaign that began the morning of December 5th (Pacific Time).
The email comes from Tyrone Boulden (note: this name is likely to change) and was sent from the email address [email protected] (note: this sender may change). The subject of the email will be either “Please DocuSign: Order Form for <domain>” or “Please DocuSign Your Debit Acknowledgement form” and it contains a link to a malicious Word document. Do not click the link in this email, instead please forward it to [email protected] and then delete the email immediately.
For more information on how to spot phishing, please see our Combating Phishing white paper (3.3 MB). -
12/01/2017
Learn about privacy at DocuSign and the steps we're taking to prepare for the upcoming GDPR.
While many organizations are just now focusing on how to protect customer data to comply with the General Data Protection Regulation (GDPR), DocuSign has already made significant strides, many of which apply to the GDPR:
DocuSign has developed a strong compliance culture and security safeguards, as demonstrated in our ISO 27001 certification.
We actively monitor regulator guidance of GDPR requirements to enhance our efforts, and like many cloud service providers, we are reviewing our data protection program and making adjustments to ensure compliance with the GDPR by May 2018.DocuSign has also drafted Binding Corporate Rules (BCRs), including privacy codes, and has submitted them with supporting documentation to the supervisory authorities in Europe for approval. Our BCRs will help establish vigorous data protection practices throughout the Company and meet the European standards of data protection processed by DocuSign through our core Signature service.
Only you and individuals authorized by your company have access to your documents. Your personal information stays private – even from DocuSign. There is no greater priority at DocuSign than the privacy and security of our customers’ information, data and documents.
-
11/29/2017
DocuSign has observed a new phishing campaign that began the morning of November 29th (Pacific Time)
The email comes from Alfonzo Copper (note this name is likely to change) and was sent from the email address [email protected]. The subject of the email is “Your Monthly Statement document is ready for signature!” and it contains a link to a malicious Word document. Do not click the link in this email, instead please forward it to [email protected] and then delete the email immediately. For more information on how to spot phishing please see our Combating Phishing white paper (3.3 MB).