On 24 April 2024, Dropbox discovered that a threat actor had accessed Dropbox Sign’s (formerly HelloSign’s) production environment. Dropbox Sign is an e-signature service used by businesses and individuals to sign documents legally online. The attacker accessed the customer database containing all users of Dropbox Sign, as well as API customers (those who integrate Dropbox Sign via API). Exposed data for all Dropbox Sign customers included: email addresses, usernames, phone numbers, hashed passwords, general account settings, and authentication information (API keys, OAuth tokens, multi-factor authentication information including TOTP seeds). The exposure of MFA seeds was particularly serious — TOTP seeds allow an attacker to generate any current or future MFA code for affected accounts, effectively bypassing MFA. Dropbox reset all user passwords, MFA settings, and API keys globally for Dropbox Sign customers. Dropbox stated the breach was limited to Dropbox Sign’s infrastructure and that no Dropbox accounts, documents, or file data were accessed. Users who only used Dropbox Sign via a third-party integration had their third-party account data (not Dropbox data) exposed. The breach prompted concerns about document confidentiality for users of the e-signature platform, as signed documents in the system were not confirmed to be secure.