:quality(75)/cloudfront-us-east-1.images.arcpublishing.com/elcomercio/IB53WANYUNGGBKDO2NCEEARLVY.jpg)
Dropbox recently reported a security breach that has impacted its Dropbox Sign digital signature service. The company discovered unauthorized access to its production environment on April 24, resulting in the exposure of user information such as emails, phone numbers, and login passwords.
Upon investigation, Dropbox confirmed that no other products were affected by the breach as the infrastructures are separate. However, the malicious actor was able to access user data, including email addresses, usernames, phone numbers, hashed passwords, account configuration, and login elements like API keys, tokens Oauth, and multi-factor authentication.
Users who have utilized the service to sign electronic documents, even without creating an account, have been affected. Interestingly, users who have enabled third-party login options, like Google sign-in, have not had their passwords compromised. Additionally, signed documents and payment information remain secure and have not been exposed.
The hacker gained access to the production environment through an automated system configuration tool that has extensive privileges, including access to the user database. In response to the breach, Dropbox has taken steps to secure user information by notifying those affected, providing guidance on securing their data, resetting account passwords, and logging out users from all devices. They have also rotated API keys and Oauth tokens to prevent further unauthorized access.
Overall, Dropbox is working diligently to address the security breach and protect user data from any further unauthorized access.