Dropbox Sign Data Breach: What You Need to Know and How to Protect Yourself

Dropbox Sign Data Breach

Dropbox confirmed a security breach on April 24th within its Dropbox Sign (formerly HelloSign) service, exposing customer data including email addresses, usernames, phone numbers, and hashed passwords. API keys, OAuth tokens, and authentication information may also have been compromised.

Dropbox Sign Data Breach

The breach allowed a threat actor to access an array of personal information belonging to Dropbox Sign users. This included emails, usernames, phone numbers, and hashed passwords, as well as general account settings and authentication data such as API keys, OAuth tokens, and multi-factor authentication details. Notably, for users who interacted with Dropbox Sign without creating an account, names and email addresses were also compromised. Importantly, the breach did not affect the contents of customer documents or agreements, nor any payment information.

Investigations confirmed that the breach was confined to the Dropbox Sign infrastructure and did not impact other Dropbox products. Dropbox Sign operates on a largely separate infrastructure from other Dropbox services, which helped contain the breach to one area.

Upon discovering the breach, Dropbox acted swiftly to secure its systems and mitigate any potential damage:

  • Password Resets: Dropbox reset passwords for all affected accounts to prevent further unauthorized access.
  • Device Logouts: Users were logged out of any devices connected to Dropbox Sign to safeguard against any residual risks.
  • API and OAuth Token Rotation: Coordinating the rotation of all API keys and OAuth tokens to secure the integrity of further interactions with Dropbox Sign.

Dropbox also notified data protection regulators and law enforcement agencies to comply with legal obligations and seek assistance in addressing the breach.

Dropbox is urging all impacted users to follow the provided instructions to secure their accounts, including enabling multi-factor authentication and being vigilant for any suspicious activity related to their accounts.