Cyber Incident Victim: Dropbox Inc.
Date:
Apr 2024
Location:
United States of America
Summary
A cybersecurity incident involving unauthorized access to Dropbox Sign's production environment exposed customer information including emails, usernames, phone numbers, hashed passwords, general account settings, API keys, OAuth tokens, and multi-factor authentication details. Non-account holders who signed or received documents through the service also had names and email addresses compromised. The breach originated from a threat actor compromising a service account within an automated system configuration tool, granting access to the customer database. The company confirmed no evidence of unauthorized access to account contents, payment information, or other products. Response measures included password resets, device logouts, API key rotations, and coordination with authorities. Impacted users are being notified with protective action instructions, and the incident is not expected to materially affect operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 24, 2024, Dropbox detected unauthorized access to the production environment of Dropbox Sign, its electronic signature service formerly known as HelloSign. The company initiated an investigation with third-party forensic experts and determined a threat actor had compromised a non-human service account within Dropbox Sign’s back-end infrastructure. This service account, part of an automated system configuration tool, possessed elevated privileges enabling actions within the production environment. The attacker leveraged this access to exfiltrate customer data including emails, usernames, phone numbers, and hashed passwords. General account settings and authentication materials such as API keys, OAuth tokens, and multi-factor authentication configurations were also accessed. Individuals who signed documents via Dropbox Sign without creating accounts had their names and email addresses exposed. The investigation confirmed no unauthorized access to user-generated content like documents, agreements, or payment information. Dropbox emphasized the incident was confined to Dropbox Sign’s infrastructure, which operates largely independently from other Dropbox services, with no impact on core products.
In response, Dropbox reset all user passwords, forcibly logged users out of connected devices, and initiated rotation of API keys and OAuth tokens. The company notified affected users via direct communications containing instructions for password resets, MFA reconfiguration for authenticator app users, and API key regeneration for developers. Data protection regulators and law enforcement were notified in compliance with disclosure obligations. Dropbox stated the incident was unlikely to materially impact operations, though its stock declined 1.7% following the disclosure. Ongoing efforts included a comprehensive infrastructure review to identify attack vectors and prevent recurrence. The company committed to completing user notifications within one week of discovery while continuing its investigation. No evidence suggested credential reuse impacted other Dropbox services, though customers were advised to update passwords on external platforms if they matched their Dropbox Sign credentials.