Home / Threat Intelligence bulletins / Dropbox Sign service breached by unidentified threat actor 

Target Industry 

Indiscriminate, opportunistic targeting.  


Dropbox Sign (formerly known as HelloSign) is free and simple-to-use eSignature software used to sign documents with digital signatures. Dropbox has disclosed through an SEC K-8 filing that an unknown threat actor has gained unauthorised access to all Dropbox Sign user data. To leverage this exploit, the threat actor compromised a service account, leading to the execution of automated configuration tools, giving them access to a substantial amount of user data. 


Through the disclosed SEC K-8 filing, the investigation identified that the threat actor had unrestricted access to all Dropbox Sign’s user emails, usernames, phone numbers, API keys, OAuth tokens, multi-factor authentication (MFA) keys, and password hashes. It is important to note that third parties who signed through the software but never created an account still had their email addresses and names exposed. Currently, there is no evidence that the threat actors accessed the production environment of other Dropbox products. 

 Targeted Organisations 

It is almost certain that all users of Dropbox Sign were impacted. But the primary target was Dropbox Sign itself. 

 Containment, Mitigations & Remediations 

Immediate action was taken by Dropbox; users were logged out of devices and active sessions, their passwords were reset, as well as API keys and OAuth access tokens being rotated to contain the breach. Dropbox has issued guidance for all users impacted by this incident.  

 Threat Landscape 

Dropbox has more than 700 million registered users across 180 countries. However, there is currently no specific data on the number of users who actively use Dropbox Sign.  

 Threat Group 

No attribution to specific threat actors or groups has been identified at the time of writing. 

Further Information 

Dropbox SEC K-8 Filing

Dropbox Sign 

The Hacker News article

The Register article