WaterISAC is sharing this for member awareness. Utilities using Dropbox Sign (with or without an account) are encouraged to review and address accordingly.
Dropbox disclosed on Wednesday that they experienced a data breach in their Dropbox Sign feature by an unknown threat actor. The breach affects all users of Dropbox Sign including emails, usernames, and general account settings. For a subset of users, threat actors were also able to access phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication. The breach also affects third parties who received or signed a document through Dropbox Sign even if they didn’t create an account themselves. Dropbox has stated they are cooperating with law enforcement and regulatory authorities on the matter. The investigation is ongoing. For more details, access The Hacker News.