Dropbox discloses data breach involving Dropbox Sign

Dropbox on Wednesday disclosed a data breach involving Dropbox Sign, its electronic signature service formerly known as HelloSign.

The cloud storage giant said that on April 24, it became aware that an unnamed threat actor had accessed Dropbox Sign customer information via their e-signature service's production environment. According to the disclosure posted to Dropbox's website, the compromised data included "customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication."

The company said that it has begun the process of reaching out to affected Dropbox Sign users that need to take action, though Dropbox did not say what those actions were. The company also reset user passwords, logged users out of devices connected to the service, and is "coordinating the rotation of all API keys and OAuth tokens." On a positive note, Dropbox found no evidence of unauthorized access to customer accounts or payment information.

According to the disclosure, the threat actor gained access via a Dropbox Sign automated system configuration tool.

"The actor compromised a service account that was part of Sign's back-end, which is a type of non-human account used to execute applications and run automated services," Dropbox wrote. "As such, this account had privileges to take a variety of actions within Sign's production environment. The threat actor then used this access to the production environment to access our customer database."

Dropbox said it reported the incident to law enforcement and data protection regulators and engaged forensic investigators.

As part of the post, Dropbox said it was committed to trust and apologized for the breach's impact.

"At Dropbox, our number one value is to be worthy of trust. We hold ourselves to a high standard when protecting our customers and their content. We didn't live up to that standard here, and we're deeply sorry for the impact it caused our customers," the company wrote. "We're also conducting an extensive review of this incident to better understand how this happened, and to protect against this kind of threat in the future. We are grateful for our customers' partnership, and we're here to help all of those who were impacted by this incident."

In an 8-K filing with the U.S. Securities and Exchange Commission Wednesday, Dropbox said it believes the breach was limited to the Dropbox Signature environment, which the company said is largely separate from other Dropbox services. "As of the date of this filing, the incident has not had, and we do not believe it is reasonably likely to have, a material impact on our overall business operations, given our current understanding that this incident is limited to the Dropbox Sign infrastructure," the filing read.

Dropbox acquired HelloSign in 2019 for approximately $230 million to enter the e-signature market. At the time of the acquisition, Dropbox said HelloSign had more than 80,000 customers.

Dropbox did not state how many customers were affected. TechTarget Editorial contacted the company for additional comment.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.