Tech News: Dropbox Says Hackers Stole Customer Data From its eSignature Service Dropbox Sign (HelloSign)

Dropbox's blog post explains that its investigation revealed that a third party gained access to "a Dropbox Sign automated system configuration tool." So, basically, a DocuSign clone.

Dropbox has found no evidence that the attacker "accessed the contents of users' accounts, such as their agreements or templates, or their payment information."

No other Dropbox services were affected, including its core cloud file-syncing business.

Dropbox Sign is forcing users to reset their passwords and log out of devices connected to their accounts. They are also forcing users to reset their API keys and OAuth tokens.

This is Dropbox's second security breach since 2022. Dropbox disclosed a security breach after threat actors stole 130 code repositories by breaching the company's GitHub accounts using stolen employee credentials.

What You Can Do

Ensure your devices are logged out of your Dropbox Sign account. Then, log back in and reset your password using a password manager such as 1Password or Bit Warden to ensure it is secure.

Those who utilize MFA (2FA) with DropBox Sign should delete that account from their authenticator apps and set it up again with a new MFA key retrieved from their accounts.

If you receive an email from Dropbox Sign asking you to reset your password, DO NOT click any links in the email. Instead, visit the Drobpox Sign website directly and reset your password from the site.