Dropbox reports that its digital document signing service has been hacked. Fortunately, the attack has no impact on any of Dropbox’s other cloud services.

In a statement on its website, Dropbox reported that the incident occurred on April 24. The attack is said to have been nipped in the bud relatively quickly, but the data theft could not have been prevented. Dropbox reports that Dropbox Sign users’ personal information may have been stolen. Anyone who has already received a document via the platform must also expect possible data loss.

This includes usernames, email addresses, phone numbers, but also encrypted passwords and authentication tokens. Dropbox assures that it has already blocked all passwords and tokens that could be compromised to prevent misuse. According to the company, there is currently no evidence that Dropbox Sign accounts are at risk.

Dropbox suspects that the intruder entered via automated system configuration. So no human account was hacked. The investigation is ongoing and we expect to be able to provide further information within a few days.

Separate infrastructure

It is striking that the attack on Dropbox Sign is unlikely to have any impact on Dropbox’s other cloud services, such as the well-known storage service. The platform for adding an electronic scribble to documents runs on a completely separate infrastructure.

Dropbox added the service in 2019 with its acquisition of HelloSign and the platform has always continued to run on its own infrastructure. There are many questions about this method in terms of infrastructure management, but in this case it worked well for Dropbox.