Dropbox, the file storage and sharing giant, experienced a breach of its legally binding electronic signature service, Dropbox Sign, where a hacker gained access to customer data, including emails, phone numbers, hashed passwords, and authentication tokens like multifactor authentication tokens, API keys, and OAuth tokens. The breach also exposed names and email addresses of non-accountholders. Despite a revenue of $2
5 billion in 2023, Dropbox Sign remains a widely used service for creating legally binding e-signatures for closing sales deals, mortgage signing, and HR onboarding. The investigation is ongoing to determine the intrusion's start date, but so far, it appears the breach only affected Dropbox Sign infrastructure, not other products. The company assured no unauthorized access to customer accounts' contents or payment information. Measures have been taken, including password resets for all Dropbox Sign users, and customers are advised to reset their authenticator apps for MFA. The breach highlights a potential supply-chain attack possibility using stolen keys and tokens for sensitive actions like signing documents in users' names or holding confidential documents for ransom. ```https://www.bankinfosecurity.com/dropbox-sees-breach-legally-binding-e-signature-service-a-24997