Dropbox revealed a breach involving its electronic signature service, formerly known as HelloSign, now rebranded as Dropbox Sign. The breach occurred on 24 April, and the company disclosed it on 1 May.
The US file hosting company confirmed that an unidentified threat actor had gained access to customer data via their e-signature service's live environment. The compromised information encompassed customer details such as emails, usernames, phone numbers, and hashed passwords, along with general account settings and specific authentication data like API keys, OAuth tokens, and multi-factor authentication credentials.
The company took action to address the breach: It initiated the process of contacting affected Dropbox Sign users, although specific steps for users were not mentioned. Dropbox did not also disclose the number of affected customers. Dropbox issued an apology for the breach's impact and pledged to conduct a comprehensive review of the incident to strengthen security protections against similar threats in the future.
The company reset user passwords, logged out users from connected devices, and is coordinating the rotation of all API keys and OAuth tokens. Dropbox confirmed it found no evidence of unauthorised access to customer accounts or payment details. The company also reported the incident to law enforcement and data protection regulators, and forensic investigators have been engaged. Dropbox says it continues conducting a thorough investigation to determine the root cause of the breach, and for all related inquiries regarding this incident, users can contact the company.
The company filed an 8-K report with the US Securities and Exchange Commission (SEC), asserting that the breach appeared contained within the Dropbox Sign infrastructure, separate from other Dropbox services, minimising the anticipated impact on overall business operations.