May 2, 2024 at 06:27AM
Dropbox disclosed that its subsidiary, Dropbox Sign, experienced a data breach on May 2, 2024. Unidentified threat actors accessed user emails, usernames, and account settings. Phone numbers, hashed passwords, and authentication information of some users were also compromised. Dropbox is investigating, cooperating with authorities, and taking steps to protect affected users.
Key takeaways from the meeting notes:
1. Dropbox Sign (formerly HelloSign) experienced a data breach, with threat actors accessing emails, usernames, and general account settings for all users, along with phone numbers, hashed passwords, authentication information, and names and email addresses of third-parties involved in document signing.
2. Investigation has not found evidence of attackers accessing contents of users’ accounts or payment information, and the breach is specific to Dropbox Sign infrastructure.
3. The attackers gained access through a service account in Dropbox Sign’s backend, and the company is in the process of reaching out to impacted users with instructions to protect their information.
4. Remediation measures taken include password resets, logging out users from connected devices, and rotation of API keys and OAuth tokens. Dropbox is also cooperating with law enforcement and regulatory authorities.
5. This is the second security incident targeting Dropbox in two years, with a previous phishing campaign in November 2022.
Overall, immediate steps have been taken to mitigate the breach, and ongoing analysis is being conducted to further address the incident.