Dropbox says hacker accessed passwords, authentication info during breach

Cloud storage company Dropbox reported that a hacker breached company systems on April 24 and gained access to sensitive information like passwords and more.

In a filing with the SEC on Wednesday afternoon, the company said it discovered unauthorized access to the production environment of Dropbox Sign — a company formerly known as HelloSign that was acquired in 2019. The company allows people to sign documents digitally.

The hacker accessed information related to all users of Dropbox Sign, including account settings, names and emails. For some users, phone numbers, hashed passwords and authentication information like API keys, OAuth tokens and multi-factor authentication methods were also exposed. 

“Based on what we know as of the date of this filing, there is no evidence that the threat actor accessed the contents of users’ accounts, such as their agreements or templates, or their payment information,” the company said in the 8-K filing. 

“Additionally, we believe this incident was limited to Dropbox Sign infrastructure and there is no evidence that the threat actor accessed the production environments of other Dropbox products. We are continuing our investigation.” 

Dropbox explained in its own blog post that those who received or signed a document through Dropbox Sign — but never created an account — had their email addresses and names also exposed. There is no evidence that payment information was accessed. 

Forensic investigators have been hired and law enforcement has been contacted, according to Dropbox. According to the statement, regulatory agencies are already being notified based on the presumption that personal information was accessed. 

Dropbox added that it does not believe the breach will have a “material” effect on the company’s operations or financial condition. But it warned that Dropbox remains at risk “due to the incident, including potential litigation, changes in customer behavior, and additional regulatory scrutiny.”

For customers that had API access to Dropbox Sign, the company said new API keys will need to be generated and warned that certain functionality will be restricted while they deal with the breach. 

“Only signature requests and signing capabilities will continue to be operational for your business continuity. Once you rotate your API keys, restrictions will be removed and the product will continue to function as normal,” the company said. 

Dropbox said it is in the process of reaching out to all users who were affected and will need to take specific actions. All of the user notifications will take place over the next week.

Dropbox has quickly become one of the largest file hosting services since its founding in 2007. In 2022, the company dealt with another security issue where a phishing campaign targeted its developers, allowing hackers to gain access to the company’s GitHub accounts.

Dropbox said at the time that the hackers were able to copy 130 code repositories and gain access to credentials as well as information on Dropbox employees, current and past customers, sales leads, and vendors.

The incident comes amid a wider spotlight on the cybersecurity concerns that come with corporate acquisitions. The CEO of one of the largest insurance firms in the U.S. appeared before Congress on Wednesday and blamed a recent ransomware attack on a subsidiary’s legacy technology as well as a lack of basic cybersecurity protocols. 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.