Dropbox said its digital-signature product, Dropbox Sign, was breached by hackers, who accessed user information including e-mails, usernames and phone numbers.
The software company said it became aware of the cyberattack on 24 April, sought to limit the incident, and reported it to law enforcement and regulatory authorities.
“We discovered that the threat actor had accessed data related to all users of Dropbox Sign, such as e-mails and usernames, in addition to general account settings,” Dropbox said on Wednesday in a regulatory filing. “For subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens and multi-factor authentication.”
Dropbox said there is no evidence hackers obtained user accounts or payment information. The company said it appears the attack was limited to Dropbox Sign and no other products were breached. The company didn’t disclose how many customers were affected by the hack.
With more than 18 million paying users, San Francisco-based Dropbox is one of the best-known companies in the cloud storage industry and reported US$2.5-billion in revenue in 2023. Many of those users are consumers or small businesses, but it also touts corporate customers such as Dentsu Group. The company has worked to expand beyond storage with document management services and video-specific tools.
The hack is unlikely to have a material impact on the company’s finances, Dropbox said in the filing. The shares declined about 2.5% in extended trading after the cyberattack was disclosed and have fallen 20% this year. — Brody Ford, (c) 2024 Bloomberg LP