cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Dropbox data breach exposes all users of Dropbox Sign

The popular online storage solution has revealed the details of a cyber incident that exposed user data and authentication keys.

user icon David Hollingworth
Thu, 02 May 2024
Dropbox data breach exposes all users of Dropbox Sign
expand image

Online storage provider Dropbox has revealed the details of a cyber attack on its Dropbox Sign e-signature and workflow solution that has impacted every user of the application.

Dropbox revealed details of the incident in a filing to the US Securities and Exchange Commission on 29 April and in a 1 May blog post.

According to the filing, Dropbox became aware of “unauthorised access to the Dropbox Sign (formerly HelloSign) production environment” on 24 April.


“We immediately activated our cyber security incident response process to investigate, contain, and remediate the incident,” Dropbox’s Form 8-K filing said.

“Upon further investigation, we discovered that the threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings.”

A “subset of users” also had their hashed passwords, phone numbers, API keys, OAuth tokens, and multifactor authentication details accessed. Thankfully, as far as Dropbox is aware, the contents of users’ accounts were not accessed by the threat actor.

“Additionally, we believe this incident was limited to Dropbox Sign infrastructure, and there is no evidence that the threat actor accessed the production environments of other Dropbox products. We are continuing our investigation,” Dropbox said.

Law enforcement has been informed, and Dropbox is working with “industry-leading forensic investigators” to investigate the incident.

The blog post reiterates much of what was said in the filing, though it does add one worrying detail – even people who just signed a document without setting up a Dropbox Sign account have had their details accessed.

“For those who received or signed a document through Dropbox Sign but never created an account, email addresses and names were also exposed,” Dropbox said in its blog post.

There is at least some good news from the hack – it does not appear to have impacted Dropbox storage itself.

“From a technical perspective, Dropbox Sign’s infrastructure is largely separate from other Dropbox services,” Dropbox said.

“That said, we thoroughly investigated this risk and believe that this incident was isolated to Dropbox Sign infrastructure and did not impact any other Dropbox products.”

Dropbox is in the process of contacting affected customers and has already reset users’ passwords and logged all users out of Dropbox Sign, as well as “coordinating the rotation of all API keys and OAuth tokens”.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.