The 2024 Dropbox Sign breach: e-signature data exposed
April–May 2024
An attacker compromised the production environment of Dropbox Sign (formerly HelloSign), exposing customer emails, usernames, phone numbers, hashed passwords, and authentication secrets including API keys, OAuth tokens, and MFA data.
What happened
On 24 April 2024 Dropbox discovered unauthorized access to the production systems of Dropbox Sign, its e-signature service formerly known as HelloSign. The company disclosed the breach on 1 May 2024, including in a filing with the U.S. Securities and Exchange Commission.
Dropbox said a threat actor had accessed a Dropbox Sign automated system configuration tool and used its elevated privileges to reach the customer database. Exposed data included account holders' emails, usernames, phone numbers, and hashed passwords, along with general account settings and authentication information such as API keys, OAuth tokens, and multi-factor authentication details. For people who had received or signed documents through Dropbox Sign without ever creating an account, email addresses and names were exposed. Dropbox said it found no evidence the attacker accessed the contents of users' documents or agreements, or their payment information.
Impact
The breach was the most serious Dropbox security incident in years and the first to clearly expose live customer authentication secrets at scale, forcing API key and OAuth token rotations across affected integrations. Coming after the 2022 GitHub breach, it renewed questions about Dropbox's segmentation and its custody of sensitive data — and it remains a live matter, with consumer litigation and regulatory attention following the disclosure.
Sources
- 01Dropbox Sign — 'A recent security incident involving Dropbox Sign'Official / Dropbox2024
- 02U.S. SEC — Dropbox, Inc. Form 8-K, Item 1.05 (Material Cybersecurity Incident)Official / Dropbox2024
- 03