Another week, another data breach. This time it’s the turn of Dropbox, with the company announcing in a blog post that its systems were accessed in late April.
The breach impacts Dropbox Sign (formerly HelloSign) users, and the data accessed includes emails, usernames and hashed passwords.
Read on to find out more about who has been affected by the breach, and what steps you can take to protect yourself if you’re one of the unlucky ones.
Dropbox Data Breach Details
This week, Dropbox announced via its official blog that it had been victim of a data breach, first discovered on the April 24th, during which a threat actor accessed user records.
Dropbox has confirmed that the attack was isolated to Dropbox Sign users, and that while details such as email addresses and hashed passwords were accessed, the third party did not have access to personal documents or payment data.
🔎 Want to browse the web privately? 🌎 Or appear as if you're in another country?
Get a huge 86% off Surfshark with this special tech.co offer.
Who is Affected by Dropbox Data Breach?
The first thing to note is that the breach only affects Dropbox Sign users – if you’re a Dropbox cloud user, then you’re not affected, that is assuming you’re not also a Dropbox Sign user.
You may have used Dropbox Sign in the past to sign a digital document, but unless you have actually created an account with the service, then the company won’t have your details on its system. For instance, if you used ‘Sign in with Google’, then you’re in the clear. Dropbox itself has acknowledged that the Dropbox Sign infrastructure is separate from its other services, and as such issues are isolated to just Dropbox Sign accounts.
What Data Was Compromised in Dropbox Data Breach?
While no data breach is good, in this scenario, what the third party who infiltrated Dropbox’s systems got away with could have been worse.
The threat actor was able to access usernames, emails, hashed passwords, phone numbers and multi-factor authentication information.
What they didn’t have access to was the contents of customers’ accounts, such as documents, agreements, and most vital of all, payment information.
Dropbox has confirmed that it has automatically reset users’ passwords as a result, and logged them out of devices.
How to Check if You’re Affected by Dropbox Data Breach
If you’re a Dropbox Sign customer, you will be understandably concerned by the news of this breach. If you are a user of other Dropbox services, it’s worth stating again that you are unlikely to be affected.
Dropbox has stated that it is reaching out to customers who have been affected, with advice on how to mitigate the risks of the breach, so if you’re one of them, you should receive a message by the end of the week. If you want to reach out to Dropbox directly about the breach, you can contact them here.
One step you can take is to keep an eye on the excellent website www.haveibeenpwned.com, which can tell you if your personal data has been comprised and made publicly available, simply by entering your password. While we don’t know yet if this Dropbox data has made it onto the web yet, or if the threat actor is currently looking for someone to sell it to, it’s always worth checking haveibeenpwned on a regular basis.
If you were using the same password for Dropbox Sign for other sites and services, you’ll want to change these as quickly as possible, as it could mean that anyone with this information could also access other accounts you own.
Reusing passwords across multiple accounts is considered very poor practice, but juggling multiple passwords makes it an easy trap to fall in to. We suggest using a password manager for peace of mind.
