:quality(75)/cloudfront-us-east-1.images.arcpublishing.com/elcomercio/IB53WANYUNGGBKDO2NCEEARLVY.jpg)
In an effort to enhance their Dropbox Sign digital signature service, technology company Dropbox recently identified a security breach that exposed user information such as emails, phone numbers, and login passwords. An investigation was launched on April 24 when unauthorized access was detected in the production environment. The initial findings revealed that no other products were affected as the infrastructures are separate, but the malicious actor did gain access to user data.
The stolen information includes email addresses, usernames, phone numbers, hashed passwords, account configurations, and login elements like API keys, tokens, and multi-factor authentication. Even users who didn’t create an account but used the service to sign electronic documents have been affected. However, signed documents and payment information remain secure. Users who have enabled login with another service, such as Google, have not had their passwords compromised.
Dropbox responded to the breach by informing affected users about the incident and providing them with a guide on securing their information. They also took action by resetting account passwords, closing active sessions on different devices and rotating API keys and Oauth tokens to enhance security measures.