Summary
Material Cybersecurity Incident
On April 24, 2024, Dropbox, Inc. discovered unauthorized access to its Dropbox Sign (formerly HelloSign) production environment. The incident involved access to user data such as emails, usernames, phone numbers, hashed passwords, API keys, OAuth tokens, and multi-factor authentication information. However, there is no evidence that the threat actor accessed the contents of user accounts or payment information. The incident appears to be isolated to the Dropbox Sign infrastructure, with no impact on other Dropbox products.
Response and Impact
Upon discovering the breach, Dropbox initiated an investigation with forensic experts, notified law enforcement, and began informing regulatory authorities and affected users. Despite the breach, Dropbox does not anticipate a material impact on its overall business operations or financial condition, though it acknowledges potential risks such as litigation and regulatory scrutiny.
Forward-Looking Statements
Dropbox cautions that ongoing investigations and future findings could change the current assessment. Risks associated with security breaches and the company’s mitigation efforts could impact future operations and financial results.
For more details, you can view the full filing on the SEC website here.