Change your Dropbox Sign password now! Hackers accessed emails, usernames, and more

Continue reading
In the wake of a recent data breach, Dropbox, the popular online storage service, faces critical scrutiny over compromised customer credentials and authentication data. This breach, infiltrated by a threat actor, targeted the production environment of Dropbox Sign (formerly HelloSign), the platform's service for e-signatures and document storage.
The unauthorized access occurred within the production environment of Dropbox Sign, facilitated by compromised service account credentials. These credentials enabled the threat actor to infiltrate the system, accessing sensitive customer data and authentication details.
The breach resulted in the exposure of a significant amount of customer information, including emails, usernames, phone numbers, and hashed passwords. Even individuals who interacted with Dropbox Sign without creating an account had their data compromised.
Furthermore, the threat actor gained access to critical data within the service infrastructure, including API keys, OAuth tokens, and multifactor authentication (MFA) details. This compromised data poses risks not only to Dropbox Sign users but also to third-party partners integrating with the service.
In response to the breach, Dropbox swiftly implemented mitigation measures to minimize its impact. These measures included password resets, logouts from connected devices, and the rotation of API keys and OAuth tokens. Additionally, users are prompted to reset their passwords upon logging in, and API customers must generate new keys and configure them accordingly.
To enhance security further, Dropbox has imposed restrictions on certain API functionalities until key rotation is completed. Users utilizing authenticator apps for MFA are advised to reset their entries. Additionally, users are encouraged to change passwords used across multiple services and to enable MFA wherever possible.
Dropbox initiated a thorough investigation into the breach, enlisting forensic experts to uncover the extent of the intrusion. The company remains committed to protecting its customers against similar threats in the future, promising continued efforts to bolster security measures and support affected users.

A third-party software flaw inside one of Japan's largest telcos exposed login credentials for up to 14.2 million email accounts across six ISPs. The passwords? Some were hashed. Some may not have been