Dropbox Sign (formerly HelloSign) discovered unauthorized access to its production environment, compromising customer information. While the incident was contained to Dropbox Sign infrastructure, we take full responsibility for the breach and are committed to addressing its impact on our users. Here are the details of the incident and our response:


    What Happened:

    • A threat actor gained access to Dropbox Sign’s production environment, exposing customer data including email addresses, usernames, phone numbers, and hashed passwords.
    • Users who received or signed documents through Dropbox Sign without creating an account also had their email addresses and names exposed.
    • Notably, no evidence suggests unauthorized access to the contents of users’ accounts or payment information.

    Their Response:

    • Upon discovering the breach,  a thorough investigation and reset users’ passwords as a precautionary measure.
    • Users were logged out of all connected devices, and we are coordinating the rotation of all API keys and OAuth tokens.
    • Promptly reported the incident to data protection regulators and law enforcement authorities.

    What Users Need to Do:

    • Users are advised to reset their passwords the next time they log in to their Dropbox Sign account. Instructions for password reset will be sent via email.
    • API customers must rotate their API keys for enhanced security. Restrictions on API keys will be lifted once the rotation is completed.
    • Customers using authenticator apps for multi-factor authentication should reset them, while those using SMS authentication are not required to take action.
    • Users who reused their Dropbox Sign password on other services should change their passwords on those accounts and enable multi-factor authentication when available.


    • Impact on Dropbox Accounts: This incident was isolated to Dropbox Sign infrastructure and did not affect other Dropbox products.
    • Sign API Customers: Names and email addresses of users who received or signed documents were exposed.
    • Additional Information: Users impacted by the breach will receive further instructions within a week.

    Date of Investigation Completion: Ongoing

    Cookie Consent with Real Cookie Banner