NewsSecurity News

Passwords and authentication info stolen during Dropbox hack

A breach in security shook Dropbox, the cloud storage giant, as they disclosed that on April 24th, their systems fell prey to a hacker’s intrusion, resulting in the compromise of sensitive data, including passwords.

In an official submission to the SEC (details here), Dropbox revealed that the breach targeted Dropbox Sign, formerly known as HelloSign, a digital document signing service acquired by the company in 2019. This platform facilitates the digital signing of documents.

The unauthorized access delved into the core of Dropbox Sign’s production environment, laying bare a trove of user information. This included account settings, user names, and email addresses. Moreover, for select users, the breach exposed additional sensitive data such as phone numbers, hashed passwords, and authentication credentials like API keys, OAuth tokens, and multi-factor authentication methods.

Despite the alarming breach, Dropbox sought to reassure users in its SEC filing, stating that, as of the filing date, there was no evidence indicating the intruder had accessed the contents of users’ accounts, such as agreements, templates, or payment details. Additionally, the company expressed belief that the breach was contained within the Dropbox Sign infrastructure, with no indication of access to other Dropbox products’ production environments. Investigations into the incident are ongoing.

Further details emerged in a blog post by Dropbox, clarifying that even individuals who hadn’t created an account but had interacted with Dropbox Sign by receiving or signing documents had their names and email addresses exposed. However, there’s no indication that payment information was compromised.

Dropbox has initiated the process of contacting all affected users, outlining specific actions they will need to undertake in response to the breach. These notifications are slated to occur over the course of the next week.

Further information –

Luke Simmonds

Blogger at

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.