Dropbox has recently announced that it identified a security breach in its Dropbox Sign digital signature service, which exposed user information such as emails, phone numbers, and login passwords. The company launched an investigation after detecting unauthorized access in the production environment on April 24.
The investigation revealed that no other products were affected, but the malicious actor gained access to user data through control of an automated system configuration tool with broad privileges, including access to the user database.
The stolen information includes email addresses, usernames, phone numbers, hashed passwords, account configurations, and login elements like API keys and tokens. Even users who didn’t create an account but used the service to sign electronic documents have been affected. However, signed documents and payment information remain secure. Users who have enabled login with another service such as Google have not had their passwords compromised.
Dropbox has taken immediate action to mitigate the impact of this breach by informing affected users about the incident and providing a guide on securing their information. They have also reset account passwords, closed active sessions on different devices and rotated API keys and Oauth tokens to enhance security measures.
