Security News > 2024 > May > DropBox says hackers stole customer data, auth secrets from eSignature service
Cloud storage firm DropBox says hackers breached production systems for its DropBox Sign eSignature platform and gained access to authentication tokens, MFA keys, hashed passwords, and customer information.
DropBox Sign is an eSignature platform allowing customers to send documents online to receive legally binding signatures.
"Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication," warns DropBox.
DropBox says that it reset all users' passwords, logged out all sessions to DropBox Sign, and restricted how API keys can be used until they are rotated by the customer.
For now, DropBox Sign customers should be on the lookout for potential phishing campaigns utilizing this data to collect sensitive information, such as plaintext passwords.
In 2022, Dropbox disclosed a security breach after threat actors stole 130 code repositories by breaching the company's GitHub accounts using stolen employee credentials.