Dropbox announces major security breach in Dropbox Sign, initiates protective measures

Dropbox has announced a recent security breach affecting its Dropbox Sign production environment. The unauthorized access was detected on April 24th, with subsequent investigations revealing that a threat actor had accessed customer data. Information exposed includes emails, usernames, phone numbers, hashed passwords, general account settings, and certain authentication information like API keys, OAuth tokens, and multifactor authentication.

Users who interacted with Dropbox Sign, including those who signed or received a document but did not create an account, also had their email addresses and names exposed. However, Dropbox maintains that the breach was confined to the Dropbox Sign infrastructure due to its technical separation from other Dropbox services.

In the aftermath of the breach, Dropbox has initiated a series of protective measures. Impacted users will be contacted with detailed instructions on how to further secure their data. The company's security team has reset passwords, logged users out of all devices connected to Dropbox Sign, and is managing the rotation of all API keys and OAuth tokens.

Despite the extensive data breach, Dropbox asserts that there is no evidence of unauthorized access to the contents of customers’ accounts, such as documents or agreements, or their payment information.

Drop says they're taking proactive measures to safeguard its customers, contacting all users affected by this incident to guide them through the necessary steps to secure their data. Additionally, they're conducting a “thorough investigation” to identify the root cause of the incident and implement measures to prevent similar threats from occurring in the future.