Hackers have knocked again on Dropbox users’ doors. Dropbox Sign, the e-signature service, has been compromised by the leak of user names, emails, and phone numbers, amongst other related things.
As per their SEC filing, Dropbox became aware of the leak on April 24, 2024. They immediately activated the cybersecurity measures to retrieve and contain the breach.
It Gets Worse for Few
Phone numbers, hashed passwords, and authentication information such as API keys, OAuth tokens, and multi-factor authentication are also exposed for a certain subset of users.
That is not all; it also affects a few non-registered users who use Dropbox Sign to e-sign documents. Their email, names, and addresses were exposed in this breach.
Are Dropbox Sign documents affected?
As per their official disclosure, Dropbox says that no user’s documentation or agreements were breached or exposed in this incident.
It would be wise to still be cautious and take steps to ensure that your sensitive information is not leaked.
Is Dropbox Sign safe to use now?
Dropbox Sign has sent expired password prompts to all the users. Now they have to create a new user password for logging in.
The same goes for API key users, who will have to get a new key to use with their third-party apps and services.
Is the Dropbox account affected?
As per the official statement, your Dropbox cloud account, even if connected with Sign, is not affected by this breach.
However, if you are using Dropbox Sign password anywhere else, then the company recommends changing it.
Sit Tight and Wait for the Next Step
Dropbox has advised users to wait till the investigation is completed by leading independent cybersecurity specialists.
All the affected users will be notified within this week. Meanwhile, you should change the passwords and APIs and wait for the next recommended step.
We would recommend backing up the data and then making necessary changes to potentially exposed agreements. This will ensure that your sensitive information is not entirely at risk.
