On April 24, 2024, Dropbox Sign, a digital signature service, was compromised, exposing customer data such as emails, usernames, and security credentials.

The breach, stemming from unauthorized access to Dropbox's production environment, led to the control of a service account by attackers.

Affected data did not include account contents or payment information, but the extent of the breach impacted third parties who interacted with Dropbox Sign.

Dropbox is actively responding by advising password resets, vigilance against phishing, and for API customers, rotation and deletion of keys.

The company is also collaborating with law enforcement and regulatory bodies while directly contacting affected users to guide them through protecting their data.

Industry experts highlight the risks of identity theft and fraud post-breach and recommend proactive measures such as using a password manager and updating reused passwords.