Dropbox Hacked: Dropbox says hackers stole customer data and login keys from its eSignature platform
Cloud storage provider Dropbox has disclosed a security breach affecting its Dropbox Sign eSignature platform. The unidentified threat actors gained unauthorized access to its production systems and obtained authentication tokens, MFA keys, hashed passwords, and customer data. In addition, emails, usernames, and general account settings linked to all users of the digital signature service were compromised.
The breach came to light on April 24, 2024, as reported in a filing with the U.S. Securities and Exchange Commission (SEC). Dropbox, which announced its intention to acquire HelloSign in January 2019, acknowledged that the breach exposed data about all Dropbox Sign users, including email addresses and usernames, along with broader account configurations.
In a Form 8-K filing with the SEC, Dropbox said, “The threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings.” The company added, “For subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.”
“This Form 8-K contains forward-looking statements as defined in the Private Securities Litigation Reform Act of 1995. Such forward-looking statements include statements regarding our ongoing investigation of the cybersecurity incident, the nature and known extent of the incident, the isolation of the incident to our Dropbox Sign infrastructure, Dropbox’s mitigation and remediation efforts, the potential disruption to our business or operations, and the potential impact on our operations, financial conditions, and results,” Dropbox said in the SEC filing.
The attackers also obtained phone numbers, hashed passwords, and specific authentication details like API keys, OAuth tokens, and multi-factor authentication credentials for a subset of the users. Furthermore, individuals who interacted with Dropbox Sign documents as third parties, without creating accounts, had their names and email addresses compromised.
Investigations have not found evidence of unauthorized access to user account contents such as agreements, templates, or payment data. The breach appears to be contained within the Dropbox Sign infrastructure.
The attackers exploited a configuration tool within Dropbox Sign’s automated system and compromised a service account with elevated privileges, enabling access to the customer database.
While the exact number of affected customers remains undisclosed, Dropbox is actively notifying impacted users and providing comprehensive guidance to safeguard their information. Security measures include password resets, logouts from connected devices, and the rotation of all API keys and OAuth tokens.