Yes. The Dropbox Sign breach occurred on April 24, 2024, affecting Undisclosed records.

What data was exposed in the Dropbox breach?

The 2024 Dropbox Sign breach exposed emails, API keys, and authentication tokens. Learn what happened and how to protect yourself.

What should I do if I was affected by the Dropbox data breach?

Check if your data was exposed using our free tool, change your passwords, enable two-factor authentication, and monitor your accounts for suspicious activity.

Dropbox Sign Data Breach

High Severity Undisclosed records affected Published February 10, 2026

Company	Dropbox
Breach Date	April 24, 2024
Disclosure Date	May 1, 2024
Records Affected	Undisclosed

In April 2024, Dropbox discovered unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. The attacker accessed customer data including emails, usernames, and authentication tokens for all users of the e-signature service.

What Happened

On April 24, 2024, Dropbox detected unauthorized access to the Dropbox Sign production environment. The attacker compromised a service account used for automated system configuration, gaining access to the Dropbox Sign customer database. The threat actor accessed information for all Dropbox Sign users, including those who received or signed documents through the service without creating an account. Dropbox stated that the core Dropbox file storage service was not affected. The company reset passwords, logged out all sessions, and rotated API keys.

What Data Was Exposed

Email addresses
Usernames
Phone numbers
Hashed passwords
API keys, OAuth tokens, and MFA authentication details
Account settings
Names and email addresses of those who received or signed documents (even without accounts)

Who Is Affected

All Dropbox Sign users were affected, as well as anyone who received or signed a document through Dropbox Sign, even without having a Dropbox Sign account. The total number of affected individuals was not publicly disclosed.

How to Check If You Were Affected

Dropbox emailed all affected Dropbox Sign users with information about the breach. Check your email (including spam) for communications from Dropbox. If you ever used Dropbox Sign or received a document through the service, assume your email address was exposed. Visit HaveIBeenPwned.com to check if your email appears in this breach.

What You Should Do Now

Change your Dropbox Sign password immediately
Regenerate any API keys used with Dropbox Sign
Reconfigure MFA with a new authenticator app or key
If you used the same password elsewhere, change those passwords too
Review connected third-party applications and revoke unnecessary access
Be cautious of phishing emails pretending to be Dropbox Sign requests

Last updated: February 10, 2026