Dropbox has disclosed a significant breach in its systems, exposing customers’ data to unauthorized entities.
A new regulatory filing detailed the incident that primarily affected Dropbox Sign, a service akin to DocuSign, allowing users to manage documents online.
Dropbox became aware of the breach on April 24 and promptly initiated cybersecurity measures. The investigation revealed that the attackers accessed various user data, including emails, usernames, phone numbers, hashed passwords, and authentication information like API keys and OAuth tokens.
Dropbox said it found no evidence of access to the contents of users’ accounts or payment information. It appears that the attack was contained within the Dropbox Sign infrastructure, sparing other Dropbox products.
The breach reportedly stemmed from a compromised service account within Dropbox Sign’s backend, allowing the attackers to access the customer database. In response, Dropbox has taken measures such as resetting passwords, logging out users from connected devices, and rotating API keys and OAuth tokens.
Dropbox plans to reach out to affected users with instructions on securing their data. The investigation is ongoing, with Dropbox promising further updates as they emerge.
Neither the regulatory filing nor the blog post mention the provision of free identity protection services to affected users, commonly offered after data breaches.
