Dropbox Sign

Breach Date

NOT DISCLOSED

Affected Users

NOT DISCLOSED

Details

• Customer information such as emails
• Usernames
• Phone numbers
• And hashed passwords as well as general account settings and certain authentication information such as API keys
• OAuth tokens
• And multi-factor authentication

Acknowledgement

Yes

Notice/Statement

Dropbox found no evidence suggesting access to the “contents of customers’ accounts (i.e. their documents or agreements), or their payment information” and have clarified that the “incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products”.

Grievance Redressal

The Dropbox security team has “reset users’ passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens”. They state that they have reported this event to “data protection regulators and law enforcement” and are “in the process of reaching out to all users impacted by this incident who need to take action, with step-by-step instructions on how to further protect their data”.

Media Coverage

sign.dropbox.com