Major file hosting service Dropbox had information from users of Dropbox Sign, previously known as HelloSign, compromised following a cyberattack against the e-signature service provider late last month, reports The Record, a news site by cybersecurity firm Recorded Future.
All Dropbox Sign users had their names, emails, and account settings accessed by attackers, with some users also having their phone numbers, multi-factor authentication approaches, hashed passwords, and other authentication details exposed as a result of the incident, said Dropbox in a filing with the U.S. Securities and Exchange Commission. However, users' agreements, templates, and payment information are believed not to have been compromised by the incident, which Dropbox said only impacted the infrastructure of Dropbox Sign and not its other offerings.
Individuals with API access to Dropbox Sign were also informed regarding the generation of new API keys and temporary functionality restrictions amid breach remediation efforts. Such an incident comes more than a year after Dropbox reported having its GitHub accounts compromised following a successful phishing attack against its developers.
