Dropbox Sign Hit With Massive Data Breach, Here’s What Happened

e-signature startup, Dropbox Sign confirmed there was a massive data breach by hackers who gained access and compromised sensitive customer information. The breach enabled the hackers to gain unauthorized access to a service account that was part of the product’s back-end.

What Happened and What Was Compromised?

According to a data breach notification published on Dropbox Sign’s website, the compromised account, described as a “non-human account used to execute applications and run automated services,” granted the attacker access to the production environment and, subsequently, the customer database.

The compromised database accessed by the hacker contained a selection of sensitive information, including customer emails, usernames, phone numbers, hashed passwords, general account settings, API keys, OAuth tokens, and Multi-Factor Authentication (MFA) details.

Surprisingly, there was a category of individuals who did not register for an account but received or signed a document through the service. These groups also had their email addresses and names exposed in the breach.

Dropbox Sign has, however, assured that, as far as it is aware, there is no evidence signifying that the attackers accessed customer account contents or payment information. Hackers are known to steal information to defraud, like the recent movement of $2.6 million to Tornado Cash by the Prisma Finance hacker.

Dropbox Sign Responds to Data Breach

In response to the data breach which was first discovered on April 24, Dropbox took immediate measures to mitigate the damage and protect user data. This included resetting user passwords and logging users out of all their connected devices to ensure the integrity of customer accounts.

Additionally, the company is coordinating the rotation of all API keys and OAuth tokens to prevent further unauthorized access. It has also reported the breach to law enforcement, and Dropbox Sign says it is committed to collaborating with authorities to investigate the incident.

In the meantime, Dropbox is reaching out to all users affected by the data breach to walk them through steps on how to further safeguard their data. The cloud storage platform says it is also reviewing the incident to prevent future recurrence.

It is yet to be seen the impact this will have on Dropbox’s value given the stiff competition among companies in the traditional financial and tech sectors.