On April 24, 2024, Dropbox experienced an unauthorized access to its Dropbox Sign service, which is used for digitally signing documents. Here are the key details about this incident:
What Happened?
- Unauthorized Access: An attacker gained access to the production environment of Dropbox Sign without permission.
- Exposed Information: User information was compromised, including:
- Email Addresses
- Phone Numbers
- Login Credentials
Impact and Measures Taken
- Affected Users: The attack only impacted Dropbox Sign, not other Dropbox products.
- Compromised Data: The attacker accessed data such as email addresses, usernames, phone numbers, and hashed passwords.
- Compromised Login Elements: Login elements like API keys, OAuth tokens, and multifactor authentication were also affected.
- Secure Signed Documents and Payments: Fortunately, signed documents and payment information remained secure.
- Protective Measures: Dropbox took steps to protect affected users, including password resets and rotation of API keys and OAuth tokens.
The Dropbox Sign hack serves as a reminder of the importance of cybersecurity. If you're a Dropbox user, be sure to change your password and monitor any unusual activity in your account.