Back to News
World NewsSecurity

Dropbox Sign Hacked: 700,000 User Records Stolen Including MFA Tokens and OAuth Credentials

April 2024 5 min read 4 sources
Breach Disclosed — April 24, 2024
On April 24, 2024, Dropbox disclosed a major breach of Dropbox Sign (formerly HelloSign). Attackers accessed the production infrastructure and stole user data for all Dropbox Sign customers — including hashed passwords, phone numbers, multi-factor authentication configuration, OAuth tokens, and API keys.

What Was Stolen

On April 24, 2024, Dropbox disclosed that attackers had breached the production environment of Dropbox Sign. The entry point was a service account with elevated privileges. Beyond usernames, email addresses, and hashed passwords, attackers obtained: phone numbers, multi-factor authentication configuration, OAuth tokens, API keys, and anyone who had logged in with Google OAuth had their Google OAuth token exposed.

700K+user records exposed
Apr 24, 2024breach disclosed
3rdmajor Dropbox security incident since 2012
Dropbox Security Advisory
A security incident involving Dropbox Sign
April 24, 2024
TechCrunch
Dropbox says hackers stole customer data, authentication tokens from eSign service
April 2024
BleepingComputer
Dropbox discloses breach of digital signature service affecting 700K
April 2024
Wired
What the Dropbox Sign Breach Means for Cloud Service Security
2024

"On April 24 we became aware that a threat actor accessed the Dropbox Sign production environment... and accessed customer information."

— Dropbox Security Advisory, April 2024

A Pattern of Breaches

The 2024 breach is the third major security incident Dropbox has disclosed since 2012. 2012: 68 million passwords stolen. 2022: GitHub repositories accessed via phishing. 2024: Production environment breached via a privileged service account, exposing 700,000+ records including OAuth tokens. The OAuth tokens stolen in 2024 are particularly significant — unlike hashed passwords, they are immediately usable to impersonate account holders to third-party services.

Dropbox Sign's breach exposed not just passwords but authentication tokens — meaning attackers may have had the ability to access victims' actual document storage, not just their account metadata.
The Solution

A Breached Cloud Account Yields Only Ciphertext

With 1Cryptor, even stolen OAuth tokens give an attacker nothing useful. The files in your cloud storage are AES-256-GCM ciphertext. The key is derived from your passphrase using Argon2id — it was never on the cloud provider's servers, and it cannot be compelled or stolen from them.

EncryptionAES-256-GCM
Key DerivationArgon2id
Server KeysZero
Chunk Size5 MB encrypted
Cloud breach yields only ciphertext — worthless to attacker
Keys derived locally from your passphrase only
Never stored on cloud provider's servers
Even stolen OAuth tokens can't decrypt 1Cryptor files
Download 1Cryptor Free Free on the App Store. No subscription. Your keys never leave your device.
Related Articles
Security

The LastPass Disaster: 25 Million Encrypted Vaults Stolen

How weak key derivation turned an encrypted backup into 25 million offline cracking opportunities.

 World News · Analysis

The US CLOUD Act

The 2018 law that lets US authorities demand data from any US-incorporated cloud provider, worldwide.

 Privacy

Google Reads Your Files

What Google's July 2023 privacy policy update means for every document in your Drive.