May 2, 2024 at 04:29AM
Dropbox disclosed a data breach impacting customers of its electronic signature service, Dropbox Sign. The breach compromised customer information, including email addresses, usernames, phone numbers, and hashed passwords. While payment information and customer files were not accessed, all affected users are being notified and security measures are being updated. The investigation is ongoing.
Based on the meeting notes, it is evident that Dropbox Sign, the electronic signature service, recently experienced a data breach. The intrusion, discovered on April 24, allowed a threat actor to access customer information, including email addresses, usernames, phone numbers, hashed passwords, data on general account settings, and authentication data. This breach also impacted users who had only received or signed a document through Sign without creating an account. However, there is no indication that payment information or customers’ files were accessed.
The breach resulted from the compromise of a service account within Sign’s back-end, which provided the threat actor with access to the production environment and subsequently the customer database. In response to the incident, Dropbox is taking several proactive steps including notifying impacted users, logging them out of the Sign service, resetting their passwords, and rotating API keys and OAuth tokens. Additionally, the company is advising customers to reset their authenticator app for multi-factor authentication and to change passwords on other online services where their Sign password is reused.
This incident comes after a previous security breach in November 2022, where a threat actor gained access to source code and personal information following a phishing attack. As the investigation into the recent breach is ongoing, there is no evidence to date that other Dropbox products were impacted. However, the company is actively addressing the situation and taking steps to mitigate any potential risks for affected users.