Skip to content

Instantly share code, notes, and snippets.

@sergiotapia

sergiotapia/1.md Secret

Created May 2, 2024 20:51
Show Gist options
  • Save sergiotapia/5611633e94a0fac1cd1d7306b33d78b8 to your computer and use it in GitHub Desktop.
Save sergiotapia/5611633e94a0fac1cd1d7306b33d78b8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
1.md

Hello,

We’re reaching out because on April 24th, we became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. Upon further investigation, we discovered that a threat actor had accessed Dropbox Sign customer information. You are receiving this message because your information was in the data the third party accessed.

What happened We can confirm that Dropbox Sign customer information such as emails, usernames, phone numbers, hashed passwords, multi-factor authentication, and general account settings were obtained. Based on our investigation, there is no evidence of unauthorized access to the contents of customers’ accounts (i.e. their documents or agreements), or their payment information.

What we’re doing When we became aware of this issue, we launched an investigation with industry-leading forensic investigators to understand what happened and mitigate risks to our users. In response, our security team reset users’ passwords, logged users out of any devices they had connected to Dropbox Sign. What you can do Passwords and multi-factor authentication: We’ve expired your password and logged you out of any devices you had connected to Dropbox Sign to further protect your account. The next time you log in to your Sign account, you’ll be sent an email to reset your password. Customers who use an authenticator app for multi-factor authentication should reset it as soon as possible. Please delete your existing entry and then reset it. If you use SMS you do not need to take any action. If you reused your Dropbox Sign password on any other services, we strongly recommend that you change your password on those accounts and utilize multi-factor authentication when available. Instructions on how to do this for your Dropbox Sign account can be found here. At Dropbox, our number one value is to be worthy of trust. We hold ourselves to a high standard when protecting our customers and their content. We didn’t live up to that standard here, and we’re deeply sorry for the impact it caused our customers. We are grateful for your partnership, and we’re here to help all of those who were impacted by this incident. For more information on this incident, how to contact us, and updates see here.

  • The Dropbox team
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment