Dropbox reports security breach of Dropbox Sign service, exposing credentials and PII

Dropbox is reporting a security breach in its Dropbox Sign service, previously known as HelloSign. The breach occurred on April 24th 2024 and resulted in unauthorized access to various types of user data associated with Dropbox Sign. The compromised information includes:

• names,
• email addresses,
• phone numbers,
• hashed passwords,
• API keys,
• OAuth tokens,
• methods for multi-factor authentication.

No details are disclosed about the number of affected individuals or the nature of the attack.

The company claims that there is no evidence suggesting that the hacker accessed the contents of users' accounts or their payment information. Dropbox states that the breach was confined to the Dropbox Sign infrastructure and did not affect other Dropbox products.

Update - As of 9th of May 2024 Dropbox Sign informed the SEC that the breach impacted all its eSignature platform users, including those without an account. Dropbox eSignature system is previously known as HelloSign, which had 80,000 customers at the time it was purchased by Dropbox in 2019.

Dropbox has rotated  API keys for customers who had API access, and has limited certain functionalities as a precaution while continuing their investigation. The company is in the process of notifying affected users.