Dropbox Cyberattack Impacts Digital Signature Product

A hacker has breached Dropbox’s digital signature product, Dropbox Sign, accessing user information including emails, usernames and phone numbers.

In a blog post dated May 1, the Dropbox Sign team revealed that the breach happened on April 24 and affected all users of the product, formerly known as HelloSign.

The data exposed included email addresses, usernames, phone numbers, hashed passwords and authentication details including API keys, OAuth tokens and multi-factor authentication methods.

However, the team said there was no evidence the hacker accessed the contents of users' Dropbox Sign accounts, such as agreements or payment information, and the breach did not affect other Dropbox services.

“We’re in the process of reaching out to all users impacted by this incident who need to take action, with step-by-step instructions on how to further protect their data,” Dropbox said. “Our security team also reset users’ passwords, logged users out of any devices they had connected to Dropbox Sign and is coordinating the rotation of all API keys and OAuth tokens.”

The hack also exposed the names and email addresses of individuals who received or signed a document through Dropbox Sign but never created an account. It did not affect those who created an account but did not set up a Dropbox password, for example by using “sign up with Google.”

Related:UnitedHealth Confirms Hackers Stole ‘Substantial’ Amounts of Data

Dropbox said that it had found no evidence of unauthorized access to customers’ documents, agreements, or payment information.  

No other Dropbox products were unaffected by the cyberattack, even if a user’s Dropbox account was linked to a Dropbox Sign account.

The company’s security team reset users’ passwords, logged users out of any devices connected to Dropbox Sign and reported this event to data protection regulators and law enforcement.