Dropbox Sign digital signature service hit by security breach, exposing user information

Dropbox recently experienced a security breach that affected its Dropbox Sign digital signature service. On April 24, the company discovered unauthorized access to its production environment, resulting in the exposure of user information such as emails, phone numbers, and login passwords.

Upon investigation, Dropbox confirmed that no other products were affected by the breach as the infrastructures are separate. However, the malicious actor was able to access user data, including email addresses, usernames, phone numbers, hashed passwords, account configuration, and login elements like API keys, tokens Oauth, and multi-factor authentication.

Interestingly, users who have enabled third-party login options like Google sign-in have not had their passwords compromised. Additionally, signed documents and payment information remain secure and have not been exposed. It is worth noting that users who have utilized the service to sign electronic documents without creating an account have also been affected.

The hacker gained access to the production environment through an automated system configuration tool with extensive privileges that included access to the user database. In response to the breach, Dropbox has taken steps to secure user information by notifying those affected, providing guidance on securing their data, resetting account passwords