Account data belonging to Dropbox Sign users, previously known as HelloSign, was accessed by a threat actor who breached the company's backend infrastructure. The breach, discovered on 24th April, exposed customer data including email addresses, usernames, phone numbers, hashed passwords, API keys, OAuth tokens, and MFA details. The breach also affected users who received or signed a document through Dropbox Sign without creating an account
Dropbox assured that no access to customer account contents or payment information occurred and that other products were unaffected. Following the breach, Dropbox initiated an investigation, forced password resets, and informed impacted users, while working on rotating API keys and OAuth tokens for security improvement. Despite hashed passwords, concerns were raised over compromised authentication data such as API keys and OAuth tokens, which could grant unauthorized access to Dropbox accounts. The incident was attributed to a breach in the Dropbox Sign backend, raising questions about the company's security measures and the acquisition of HelloSign. Security experts emphasized the importance of changing passwords and enabling MFA promptly. Dropbox is conducting a comprehensive review to prevent future breaches and safeguard user data, acknowledging their failure to uphold user trust and apologizing for the impact on customers. https://www.computerweekly.com/news/366583082/Dropbox-Sign-user-information-accessed-in-data-breach