Dropbox has recently disclosed a security breach that affected their Dropbox Sign digital signature service, exposing user information such as emails, phone numbers, and login passwords. On April 24, the technology company detected unauthorized access in the production environment and launched an investigation. Initial findings revealed that no other products were affected, but the malicious actor gained access to user data through control of an automated system configuration tool with broad privileges.
The stolen information includes email addresses, usernames, phone numbers, hashed passwords, account configurations, and login elements like API keys and tokens. Even users who didn’t create an account but used the service to sign electronic documents have been affected. However, signed documents and payment information remain secure. Users who have enabled login with another service, such as Google, have not had their passwords compromised.
In response to the breach, Dropbox has informed affected users about the breach and provided a guide on securing their information. They have also reset account passwords, closed active sessions on different devices, and rotated API keys and Oauth tokens to enhance security measures.