Dropbox recently discovered a security breach that exposed user information for their Dropbox Sign digital signature service. Unauthorized access was detected in the production environment on April 24, prompting an investigation by the technology company. Initially, it was found that no other products were affected, but the malicious actor gained access to user data.
The stolen information includes email addresses, usernames, phone numbers, hashed passwords, account configurations, and login elements like API keys, tokens, and multi-factor authentication. Even users who didn’t create an account but used the service to sign electronic documents have been affected. However, signed documents and payment information remain secure. Users who have enabled login with another service, such as Google, have not had their passwords compromised.
Dropbox responded to the breach by informing affected users about the incident and providing a guide on securing their information. They also took steps to enhance security measures by resetting account passwords, closing active sessions on different devices, and rotating API keys and Oauth tokens. Despite this incident, Dropbox remains committed to protecting its users’ data and ensuring their privacy is maintained.