Dropbox has disclosed a significant security breach affecting its HelloSign eSignature service (recently rebranded as Dropbox Sign).
The company confirmed that malicious actors accessed customer data, as well as authentication tokens, MFA keys, hashed passwords within its systems.
“Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication,” warns DropBox.
The company says they found no evidence that the threat actors gained access to customers’ documents or agreements and did not access the platforms of other DropBox services.
