← Back to incidents

Incident · Unknown

Dropbox, Inc. · DBX

Information TechnologyUSAIncident April 24, 2024Filed May 1, 2024
Impact score
Business continuity
Insurance involved
Not disclosed
Filing
8-K · 1.05

Breach taxonomy

UnknownData ExfilPersonal DataInfo Privacy Loss

Summary

On April 24, 2024, Dropbox became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment by a threat actor. The actor accessed data for all Dropbox Sign users including emails and usernames, and for subsets of users also accessed phone numbers, hashed passwords, API keys, OAuth tokens, and multi-factor authentication information. No agreement contents, templates, or payment information were accessed. The incident was limited to Dropbox Sign infrastructure with no impact on other Dropbox products.

Tagging rationale

ThreatUnknown

Filing does not attribute the incident to any specific threat actor → UNKNOWN.

MethodsData Exfil

Filing confirms the threat actor accessed and obtained user data including credentials and authentication information — active data exfiltration.

AssetsPersonal Data

Filing discloses access to emails, usernames, phone numbers, hashed passwords, API keys, OAuth tokens, and MFA information for all Dropbox Sign users — sensitive personal data and credentials.

EffectsInfo Privacy Loss

Unauthorized access and exfiltration of user personal data and credentials; no operational disruption to Dropbox's business.

Impact

All Dropbox Sign users had email and account data exposed; subsets had credentials and authentication tokens compromised, but no payment data or document contents were accessed and operations were unaffected.

InsuranceNot disclosed

Filing makes no mention of insurance.

Read the original SEC filing excerpt
Item 1.05 Material Cybersecurity Incidents On April 24, 2024, Dropbox, Inc. became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. We immediately activated our cybersecurity incident response process to investigate, contain, and remediate the incident. Upon further investigation, we discovered that the threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings. For subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication. Based on what we know as of the date of this filing, there is no evidence that the threat actor accessed the contents of users' accounts, such as their agreements or templates, or their payment information. Additionally, we believe this incident was limited to Dropbox Sign infrastructure and there is no evidence that the threat actor accessed the production environments of other Dropbox products.
View SEC filingBack to database

More in Information Technology

Unknown · November 1, 2025

Logitech International S.A.

Logitech experienced a cybersecurity incident in which an unauthorized third party exploited a zero-day vulnerability in a third-party softw

Unknown · September 20, 2025

BK Technologies Corporation

On approximately September 20, 2025, BK Technologies Corporation detected suspicious activity involving its IT systems and launched an inves

Unknown · August 29, 2025

EVERTEC, Inc.

On August 29, 2025, Sinqia S.A., a Brazilian subsidiary of EVERTEC, Inc., identified unauthorized activity in its Pix real-time payment envi

Unknown · August 25, 2025

Wytec International, Inc.

On August 25, 2025, Wytec International detected that a bad actor had defaced the company website (wytecintl.com); after the company restore