Hackers Break Into Dropbox Sign, Stealing Customer Information

As companies employ new tactics to defend themselves against cyberattacks, hackers continue to find a way in. So it is with Dropbox: The company is the latest to be hacked, as bad actors broke into production systems for the Dropbox Sign eSignature platform. These hackers were able to obtain authentication tokens, MFA keys, passwords (hashed), and the information of Dropbox customers.

This isn’t the entirety of Dropbox, to be clear, but specifically Dropbox Sign. The eSignature platform allows customers to send documents on the internet and sign with legally-binding signatures. It is essential for many forms of business, which makes this breach so alarming.

Dropbox said they first detected these bad actors on April 24: Through investigating, Dropbox found these bad actors broke into a Dropbox Sign automated system configuration tool, which enabled them to run applications and automations after elevating their privileges. From here, they could break into the database of customer info. This information included emails, usernames, phone numbers, hashed passwords, accounts settings, API keys, OAuth tokens, and MFA authentication. Even users who used Dropbox Sign without making an account had their email addresses and names leaked.

In good news, bad actors seem to have failed to steal any sensitive information, including documents or signatures. Dropbox also reset all users’ credentials and logged users out of all Dropbox Sign sessions. If you use MFA with the service, the company advises that you delete it from your MFA app and set it up again with a new key from Dropbox’s site.

While Dropbox is emailing affected customers, do not follow any links in emails you receive. This situation will invite scammers to send phishing emails to people to trick them into providing personal information. If you do receive an email from Dropbox, go directly to Dropbox Sign’s website yourself and reset your credentials manually.