Popular San Francisco-based cloud storage provider Dropbox has confirmed that it suffered a data breach from a “threat actor” on April 24. The company says, in what it believes to be an isolated incident, the hacker “accessed Dropbox Sign customer information”. Dropbox says the data accessed included email addresses, usernames, phone numbers and hashed passwords, general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.
Dropbox says that it’s found no evidence of unauthorised access to the contents of customers’ accounts, i.e. their documents or agreements, or payment information.
The company says it has “reset users’ passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens.” Dropbox also says it has reported the event to data protection regulators and law enforcement.