Dropbox Security Breach Exposes Personal Data in Sign Program Hack – Update and Steps Taken by Company

Dropbox reports that a hacker has unauthorized access to systems for the Sign program, formerly known as HelloSign. The attackers had access to various personal data, but not to signatures. Those affected will be notified by email.

The company writes that the cyber attack took place on April 24, when hackers gained access to Sign Dropbox’s ‘production environment’. Through an automated system configuration tool, the third party accessed the weekend program with a compromised ‘non-human account’.

Depending on how users interacted with Dropbox Sign, various personal data may have been compromised. For example, users without an account had access to their email addresses and names. Users with an account also had unauthorized access to phone numbers, hashed passwords, API keys and authentication tokens. Dropbox emphasizes that this only applies to account information, not content created in Sign through those accounts, including digital signatures and documents.

The company has automatically reset passwords and is asking API clients to generate new API keys. Also, users who use multi-factor authentication must reset this feature.