Opening incident

Loading disclosure

Pulling the filing, breach taxonomy, and impact scoring…

Duke

Blog Incident database Request access

Loading database

Indexing incidents

Fetching SEC-disclosed cyber incidents and Duke's breach taxonomy…

Duke

Blog Incident database Request access

Opening incident

Loading disclosure

Pulling the filing, breach taxonomy, and impact scoring…

Dropbox, Inc. Unknown (2024) | SEC Cybersecurity Incident | Duke Security

Duke

Blog Incident database Request access

← Back to incidents

Incident · Unknown

Dropbox, Inc. · DBX

Information TechnologyUSAIncident April 24, 2024Filed May 1, 2024

Impact score

Business continuity

—

Insurance involved

Not disclosed

Filing

8-K · 1.05

Breach taxonomy

UnknownData ExfilPersonal DataInfo Privacy Loss

Summary

On April 24, 2024, Dropbox became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment by a threat actor. The actor accessed data for all Dropbox Sign users including emails and usernames, and for subsets of users also accessed phone numbers, hashed passwords, API keys, OAuth tokens, and multi-factor authentication information. No agreement contents, templates, or payment information were accessed. The incident was limited to Dropbox Sign infrastructure with no impact on other Dropbox products.

Tagging rationale

ThreatUnknown

Filing does not attribute the incident to any specific threat actor → UNKNOWN.

MethodsData Exfil

Filing confirms the threat actor accessed and obtained user data including credentials and authentication information — active data exfiltration.

AssetsPersonal Data

Filing discloses access to emails, usernames, phone numbers, hashed passwords, API keys, OAuth tokens, and MFA information for all Dropbox Sign users — sensitive personal data and credentials.

EffectsInfo Privacy Loss

Unauthorized access and exfiltration of user personal data and credentials; no operational disruption to Dropbox's business.

Impact

All Dropbox Sign users had email and account data exposed; subsets had credentials and authentication tokens compromised, but no payment data or document contents were accessed and operations were unaffected.

InsuranceNot disclosed

Filing makes no mention of insurance.

Read the original SEC filing excerpt

Item 1.05 Material Cybersecurity Incidents On April 24, 2024, Dropbox, Inc. became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. We immediately activated our cybersecurity incident response process to investigate, contain, and remediate the incident. Upon further investigation, we discovered that the threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings. For subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication. Based on what we know as of the date of this filing, there is no evidence that the threat actor accessed the contents of users' accounts, such as their agreements or templates, or their payment information. Additionally, we believe this incident was limited to Dropbox Sign infrastructure and there is no evidence that the threat actor accessed the production environments of other Dropbox products.

View SEC filing Back to database

Get alerts on new incidents

Drop your email and we’ll let you know when fresh SEC disclosures land in the database. No spam.

More in Information Technology

Unknown · April 13, 2026

Itron, Inc.

Itron was notified on April 13, 2026 that an unauthorized third party had gained access to certain corporate systems. The company activated …

Unknown · November 1, 2025

Logitech International S.A.

Logitech experienced a cybersecurity incident in which an unauthorized third party exploited a zero-day vulnerability in a third-party softw…

Unknown · September 20, 2025

BK Technologies Corporation

On approximately September 20, 2025, BK Technologies Corporation detected suspicious activity involving its IT systems and launched an inves…

Unknown · August 29, 2025

EVERTEC, Inc.

On August 29, 2025, Sinqia S.A., a Brazilian subsidiary of EVERTEC, Inc., identified unauthorized activity in its Pix real-time payment envi…