You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When we became aware of this issue, we launched an investigation with industry-leading forensic investigators to understand what happened and mitigate risks to our users.
Based on our investigation, a third party gained access to a Dropbox Sign automated system configuration tool. The actor compromised a service account that was part of Sign’s back-end, which is a type of non-human account used to execute applications and run automated services. As such, this account had privileges to take a variety of actions within Sign’s production environment. The threat actor then used this access to the production environment to access our customer database.
In response, our security team reset users’ passwords, logged users out of any devices they had connected to Dropbox Sign, and is helping customers rotate all API keys and OAuth tokens. We reported this event to data protection regulators and law enforcement.
https://www.dropboxsign.com/blog/a-recent-security-incident-involving-dropbox-sign
https://www.sec.gov/Archives/edgar/data/1467623/000146762324000024/dbx-20240429.htm
known AWS customer: https://aws.amazon.com/solutions/case-studies/dropbox-hellosign-security/
The text was updated successfully, but these errors were encountered: