Dropbox Hacked! Threat Actor Accessed Passwords and Phone Numbers

File hosting service Dropbox says a threat actor breached its e-signature service and accessed customer data, including phone numbers and passwords.

In a worrying notice on the company blog, the cloud storage biz says  it noticed on April 24 unauthorized access to the Dropbox Sign (formerly HelloSign) production environment.

A quick analysis revealed that a threat actor had broken in to access customer information such as emails, usernames, phone numbers and hashed passwords, as well as general account settings and certain authentication information (API keys, OAuth tokens, and multi-factor authentication).

People who only received or signed a document through Dropbox Sign – but never created an account – also had their email addresses and names exposed.

Customers who used the “sign up with…” option are safe as far as passwords go.

Because Dropbox Sign is secluded from other Dropbox services, the company believes the threat actor did not access other Dropbox services, the contents of customers’ digital storage ‘boxes’ (i.e. documents), or payment data.

“We thoroughly investigated this risk and believe that this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products,” the cloud company said.

Dropbox is now reaching out to all people impacted by this incident with step-by-step instructions on how to protect themselves from attacks leveraging their stolen data.

The Dropbox security team has reset the passwords of affected users and logged users out of any devices they had connected to Dropbox Sign.

According to the results of our 2024 Consumer Cybersecurity Assessment Report, password management remains one of consumers’ weakest points, with 37% of netizens writing down their passwords, 18.7% using a single password for three or more accounts, and 15.8% using the same password for at least two accounts.

If you reused your Dropbox Sign password on any other services, Bitdefender strongly recommends that you access those accounts, use the ‘reset password’/’forgot password’ option, and set up all-new passwords with those accounts. Enable multi-factor authentication as well, preferably with a trusted authenticator app (where available) instead of SMS.

Consider using a password manager to avoid recycling passwords out of convenience.

You may also want to use a data monitoring service like Bitdefender Digital Identity Protection. DIP lets you instantly find out if your data has leaked online, what type of information was compromised, what risks you face, and whether your information is up for sale on the dark web.