Actions

Dropbox Sign confirms hack that gained unauthorized access to users’ personal data

Dropbox says that hackers obtained people's emails, usernames, phone numbers, and passwords.
A closeup of the Dropbox website page
Posted

Dropbox, the popular file-sharing service, reported a breach affecting its electronic signature service Dropbox Sign, allowing unauthorized access to users’ personal information.

According to the company’s press release, on April 24 hackers accessed users' emails, usernames, phone numbers, and passwords. They also got into some account settings and authentication info, like API keys and OAuth tokens. However, they do not believe the hackers were able to fully access any content or documents in the accounts.

“The actor compromised a service account that was part of Sign’s back-end, which is a type of non-human account used to execute applications and run automated services. As such, this account had privileges to take a variety of actions within Sign’s production environment. The threat actor then used this access to the production environment to access our customer database,” the press release read.

Code on computer screen

Data Privacy and Cybersecurity

Chinese hackers threaten US cybersecurity

Kevin Cirilli

Although the company didn't identify the perpetrators, they stated that the investigation is still ongoing and confirmed reporting the hack to regulators and law enforcement agencies.

In response to the hack, Dropbox says that they are contacting all affected individuals with detailed instructions to enhance their data security. Additionally, their security team has reset the passwords of those affected.