Dropbox has confirmed a significant breach of its Dropbox Sign service (formerly HelloSign), which compromised a wide range of customer information, including emails, usernames, phone numbers, hashed passwords, and various authentication details like API keys, OAuth tokens, and multi-factor authentication setups. The breach, identified on April 24, 2024, also exposed the email addresses and names of third-party individuals who had interacted with Dropbox Sign without creating an account.
According to the company’s recent filing with the U.S. Securities and Exchange Commission (SEC), all users of the digital signature product are affected, but there is no evidence so far that the attackers accessed the contents of users’ documents or agreements. Dropbox attributed the breach to unauthorized access of an automated system configuration tool, which led to the compromise of a service account with elevated privileges within Dropbox Sign’s backend. This account allowed the attackers to access the service’s customer database extensively.
Dropbox is actively reaching out to all impacted users with detailed instructions on how to secure their accounts, including resetting passwords, rotating API keys, and changing passwords on other platforms if the same credentials were used. Additionally, the company has reset exposed passwords and logged users out of associated devices to further secure user data. Dropbox’s security team is also coordinating the rotation of compromised authentication tokens.
In response to the breach, Dropbox has notified law enforcement and regulatory authorities, including the SEC, and is conducting a thorough review to understand how the breach occurred and to fortify its defenses against future threats. This incident marks the second significant security challenge for Dropbox in the last two years, following a phishing campaign in 2022 that compromised several of its source code repositories on GitHub.