Cloud storage firm DropBox disclosed a security incident, where hackers compromised its DropBox Sign eSignature environment and made off with authentication tokens, MFA keys, hashed passwords, and customer information.

The company said in a SEC filing that it became aware of the breach on April 24, 2024, and immediately activated its cybersecurity incident response process.

“Upon further investigation, we discovered that the threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings. For subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication,” the company said. “Based on what we know as of the date of this filing, there is no evidence that the threat actor accessed the contents of users’ accounts, such as their agreements or templates, or their payment information.”

According to the company, the attacker gained access to a Dropbox Sign automated system configuration tool and hacked into a service account that was part of Sign’s back-end and had privileges to take a variety of actions within Sign’s production environment. The threat actor then used this access to the production environment to access the customer database.

In response, DrpBox’s security team reset users’ passwords, logged users out of any devices they had connected to Dropbox Sign, and initiated the rotation of all API keys and OAuth tokens.

DropBox said it believes that the incident is limited to the Dropbox Sign (formerly HelloSign) platform and has not affected any other products.