Dropbox Sign Breach Exposes Customer Data - Cyber and Fraud Centre

Cloud storage giant Dropbox has recently disclosed a data breach affecting its eSignature service, Dropbox Sign (formerly HelloSign). The incident highlights the ongoing risks businesses and individuals face from cyber attacks, and the importance of proactive security measures.

How the Breach Happened

Threat actors gained access to a Dropbox Sign system configuration tool, which had elevated privileges within the platform. This allowed the attacker to access a customer database, exposing data including:

Email addresses
Usernames
Phone numbers
Hashed passwords
Account settings
Authentication information (API keys, OAuth tokens, multi-factor methods)

Crucially, Dropbox reports no evidence that customer documents or agreements were compromised. This breach emphasises how even service accounts (not directly associated with customers) can be targeted for valuable data exposure.

Impact and Response

Dropbox has addressed the situation by taking the following actions:

Resetting all affected user passwords
Logging out users from connected devices
Coordinating the rotation of authentication tokens
Working with law enforcement and data protection regulators

Customers impacted by the breach are being individually notified.

Protecting Yourself and Your Business

While Dropbox has taken responsibility and is mitigating the situation, this breach underscores several preventative measures everyone can take:

Strong, Unique Passwords: Avoid reusing passwords across different services. A hacked service could expose credentials for others. Consider using a password manager to help keep track.
Multi-Factor Authentication (MFA): Enable this when possible, as it requires an additional element (e.g., a code generated on an authorised app) when logging in, making account takeover harder.
Be Vigilant: Be sceptical of unexpected emails or requests for password changes, even if they appear to be from a legitimate service. When in doubt, navigate to the website directly rather than clicking links.
Regular Software Updates: Update your operating system, apps, and security software promptly to address identified vulnerabilities.
For Businesses: Conduct regular security audits and employee training. Restrict privileges for accounts to only necessary functions.

Staying Secure in the Digital Age

Cyber security threats are constantly evolving. Staying informed and practicing good digital hygiene are essential to minimise your risk of falling victim to future attacks.