Dropbox Sign Breach Exposes Customer Data and Authentication Secrets

Hackers accessed sensitive information including emails, usernames, and authentication data from Dropbox Sign, prompting urgent security measures.

Dropbox confirmed a breach in Dropbox Sign’s production systems, exposing emails, usernames, phone numbers, hashed passwords, and authentication data.
The breach, detected on April 24, involved unauthorized access via a compromised service account with elevated privileges.
No evidence suggests that documents or agreements were accessed, but exposed data increases the risk of phishing and identity theft.
Dropbox has reset passwords, logged out users, and advised customers to rotate API keys and enable new MFA configurations.
Security experts warn of the potential for targeted phishing attacks due to the nature of the stolen data.