Dropbox is warning that bad actors breached its Dropbox Sign digital signature service, gaining access to customer data in the process.

Dropbox revealed the incident in a filing with the SEC, saying it became aware of the incident on April 24, 2024, and activated its cybersecurity incident response to contain the breach.

Upon further investigation, we discovered that the threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings. For subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.

The company says there is no indication that users’ content was accessed.

Based on what we know as of the date of this filing, there is no evidence that the threat actor accessed the contents of users’ accounts, such as their agreements or templates, or their payment information. Additionally, we believe this incident was limited to Dropbox Sign infrastructure and there is no evidence that the threat actor accessed the production environments of other Dropbox products. We are continuing our investigation.

Dropbox says it is working with law enforcement and will notify users as appropriate.