Dropbox : A Recent Security Incident Involving Dropbox Sign - Form 8-K

May 02, 2024 at 06:43 am EDT

A Recent Security Incident Involving Dropbox Sign

On April 24th, we became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. Upon further investigation, we discovered that a threat actor had accessed Dropbox Sign customer information. We believe that this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products. We're in the process of reaching out to all users impacted by this incident who need to take action, with step-by-step instructions on how to further protect their data. Our security team also reset users' passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens. Please read on for additional details and an FAQ.

On April 24th, we became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.

For those who received or signed a document through Dropbox Sign, but never created an account, email addresses and names were also exposed. Additionally, if you created a Dropbox Sign or HelloSign account, but did not set up a password with us (e.g. "Sign up with Google"), no password was stored or exposed. We've found no evidence of unauthorized access to the contents of customers' accounts (i.e. their documents or agreements), or their payment information.

From a technical perspective, Dropbox Sign's infrastructure is largely separate from other Dropbox services. That said, we thoroughly investigated this risk and believe that this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products.

What happened and our response

When we became aware of this issue, we launched an investigation with industry-leading forensic investigators to understand what happened and mitigate risks to our users.

Based on our investigation, a third party gained access to a Dropbox Sign automated system configuration tool. The actor compromised a service account that was part of Sign's back-end, which is a type of non-human account used to execute applications and run automated services. As such, this account had privileges to take a variety of actions within Sign's production environment. The threat actor then used this access to the production environment to access our customer database.

In response, our security team reset users' passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens. We reported this event to data protection regulators and law enforcement.

What we're doing next

At Dropbox, our number one value is to be worthy of trust. We hold ourselves to a high standard when protecting our customers and their content. We didn't live up to that standard here, and we're deeply sorry for the impact it caused our customers.

We've been working around the clock to mitigate risk to our customers, and we're in the process of reaching out to all users impacted by this incident who need to take action, with step-by-step instructions on how to further protect their data.

We're also conducting an extensive review of this incident to better understand how this happened, and to protect against this kind of threat in the future. We are grateful for our customers' partnership, and we're here to help all of those who were impacted by this incident.

To contact us about this incident, please reach out to us here.

Customer FAQ

I'm a Sign customer - what has Dropbox done to protect me and what do I need to do?

•We've found no evidence of unauthorized access to the contents of users' accounts (i.e. their documents or agreements).

•We've expired your password and logged you out of any devices you had connected to Dropbox Sign to further protect your account. The next time you log in to your Sign account, you'll be sent an email to reset your password. We recommend you do this as soon as possible.

•If you're an API customer, to ensure the security of your account, you'll need to rotate your API key by generating a new one, configuring it with your application, and deleting your current one. As an additional precaution, we'll be restricting certain functionality of API keys while we coordinate rotation. Only signature requests and signing capabilities will continue to be operational for your business continuity. Once you rotate your API keys, restrictions will be removed and the product will continue to function as normal. Here is how you can easily create a new key.

•Customers who use an authenticator app for multi-factor authentication should reset it. Please delete your existing entry and then reset it. If you use SMS you do not need to take any action.

•If you reused your Dropbox Sign password on any other services, we strongly recommend that you change your password on those accounts and utilize multi-factor authentication when available.

If I have a Sign account linked to my Dropbox account, is my Dropbox account affected?

•No. Based on our investigation to date, we believe this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products.

•However, if you reused your Dropbox Sign password on any other services, we strongly recommend that you change your password on those accounts and utilize multi-factor authentication when available. Instructions on how to do this for your Dropbox Sign account can be found here.

I'm a Sign API customer. Was my customers' data exposed as well?

•Names and email addresses for those who received or signed a document through Dropbox Sign, but never created an account, were exposed.

Where can I go for more information on this incident?

•We're in the process of reaching out to all impacted users who need to take action, and we expect all notifications to be complete within a week.

Is your investigation complete?

•Our investigation is still ongoing, and we'll provide additional updates as we have them.

Attachments

Original Link
Permalink

Disclaimer

Dropbox Inc. published this content on 01 May 2024 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 02 May 2024 10:43:04 UTC.

	1st Jan change	Capi.
DROPBOX, INC.	-19.50%	7.91B
ADOBE INC.	-18.97%	216B
WORKDAY INC.	-6.57%	68.07B
ROPER TECHNOLOGIES, INC.	-0.60%	57.68B
AUTODESK, INC.	-9.15%	47.15B
DATADOG, INC.	-1.08%	40.34B
ELECTRONIC ARTS INC.	-6.62%	34.53B
ANSYS, INC.	-9.69%	28.59B
APPLOVIN CORPORATION	+107.00%	27.38B
PTC INC.	+5.29%	22.06B

1st Jan change

Capi.

DROPBOX, INC.

-19.50%

7.91B

ADOBE INC.

-18.97%

216B

WORKDAY INC.

-6.57%

68.07B

ROPER TECHNOLOGIES, INC.

-0.60%

57.68B

AUTODESK, INC.

-9.15%

47.15B

DATADOG, INC.

-1.08%

40.34B

ELECTRONIC ARTS INC.

-6.62%

34.53B

ANSYS, INC.

-9.69%

28.59B

APPLOVIN CORPORATION

+107.00%

27.38B

PTC INC.

+5.29%

22.06B

Market Closed - Nasdaq Other stock markets 04:00:00 2024-05-17 pm EDT			5-day change	1st Jan Change
23.73 ^USD	-0.96%		+2.55%	-19.50%

May. 14	VC firm Accel raises $650 mln to invest in AI, cybersecurity startups	RE
May. 09	Dropbox, Inc. Provides Earnings Guidance for the Second Quarter of 2024 and Maintains Earnings Guidance for the Full Year 2024	CI

VC firm Accel raises $650 mln to invest in AI, cybersecurity startups	May. 13	RE
Dropbox, Inc. Provides Earnings Guidance for the Second Quarter of 2024 and Maintains Earnings Guidance for the Full Year 2024	May. 09	CI
Transcript : Dropbox, Inc., Q1 2024 Earnings Call, May 09, 2024	May. 09
Dropbox Q1 Non-GAAP Earnings, Revenue Rise; Shares Gain After Hours	May. 09	MT
Dropbox Paying Users at End of Q1 Totaled 18.16 Million vs Visible Alpha Analyst Consensus of 18.1 Million	May. 09	MT
Earnings Flash (DBX) DROPBOX Posts Q1 EPS $0.58, vs. Street Est of $0.50	May. 09	MT
Earnings Flash (DBX) DROPBOX Reports Q1 Revenue $631.3M, vs. Street Est of $628.6M	May. 09	MT
Dropbox, Inc. Reports Earnings Results for the First Quarter Ended March 31, 2024	May. 09	CI
Dropbox Insider Sold Shares Worth $1,922,334, According to a Recent SEC Filing	May. 03	MT
Freshworks Q1 Non-GAAP Earnings, Revenue Increase; Names New Chief Executive	May. 02	MT
Dropbox Insider Sold Shares Worth $1,991,550, According to a Recent SEC Filing	Apr. 03	MT
Citigroup Cuts Price Target on Dropbox to $27 From $31, Maintains Neutral Rating	Mar. 22	MT
Smartsheet Inc. : Making work easier	Mar. 15
Cloud storage service Egnyte hires banks for IPO, sources say	Feb. 28	RE
North American Morning Briefing : Earnings Back in -2-	Feb. 20	DJ
Tranche Update on Dropbox, Inc.'s Equity Buyback Plan announced on February 17, 2022.	Feb. 16	CI
Tranche Update on Dropbox, Inc.'s Equity Buyback Plan announced on August 3, 2023.	Feb. 16	CI
Sector Update: Tech Stocks Retreat Late Afternoon	Feb. 16	MT
Sector Update: Tech	Feb. 16	MT
Dropbox Shares Decline Following Q4 Earnings, Analyst Actions	Feb. 16	MT
News Highlights : Top Company News of the Day - Friday at 11 AM ET	Feb. 16	DJ
BofA Securities Downgrades Dropbox to Underperform From Buy, Cuts Price Target to $28 From $34	Feb. 16	MT
Top Premarket Decliners	Feb. 16	MT
JPMorgan Downgrades Dropbox to Neutral From Overweight, Cuts Price Target to $30 From $33	Feb. 16	MT
JMP Securities Downgrades Dropbox to Market Perform From Market Outperform	Feb. 16	MT

Dropbox, Inc.

Equities

DBX

US26210C1045

Software

Dropbox : A Recent Security Incident Involving Dropbox Sign - Form 8-K

Latest news about Dropbox, Inc.

Chart Dropbox, Inc.

Company Profile

Income Statement Evolution

Ratings for Dropbox, Inc.

Analysts' Consensus

EPS Revisions

Quarterly earnings - Rate of surprise

Sector Application Software