Dropbox Discloses Breach of Digital Signature Service Affecting All Users
May 02, 2024
Cyber Attack / Data Breach
Cloud storage services provider Dropbox on Wednesday disclosed that Dropbox Sign (formerly HelloSign) was breached by unidentified threat actors, who accessed emails, usernames, and general account settings associated with all users of the digital signature product. The company, in a filing with the U.S. Securities and Exchange Commission (SEC), said it became aware of the "unauthorized access" on April 24, 2024. Dropbox announced its plans to acquire HelloSign in January 2019. "The threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings," it said in the Form 8-K filing.. "For subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication." Even worse, the intrusion also affects third-parties who received or signed a document through Dropbox Sig