Dropbox Sign Data Breach 2024: Lawsuit Says File-Sharing Company Failed to Protect Dropbox Sign Users’ Info from Hackers

Dropbox faces a proposed class action lawsuit out of California that claims the cloud storage provider is to blame for a significant data breach impacting Dropbox Sign users.

The 32-page Dropbox Sign data breach lawsuit shares that the San Francisco-based company, on April 24, 2024, discovered unauthorized activity on its Dropbox Sign platform, an eSignature service that allows consumers to upload legally binding signatures for use in online documents. A subsequent investigation revealed that, during the incident, a threat actor gained access to personal information belonging to current and former Dropbox Sign customers, the filing says.

According to a Dropbox blog post published early this month, the unauthorized third party was able to patch into one of the Dropbox Sign, formerly called HelloSign, back-end configuration tools, which ultimately gave them access to Dropbox Sign’s customer database and the private data stored therein.

The suit says the Dropbox cyberattack compromised consumers’ email addresses, usernames, phone numbers, hashed passwords, general account settings and certain account authentication information. Even those who only used the platform to send or receive a document without creating a Dropbox Sign account had their names and email addresses exposed, the blog post adds.

Importantly, the case relays that data thieves can use the stolen Dropbox account authentication data—such as API keys, OAuth tokens and multi-factor authentication details—to gain access to a user’s account, where sensitive documents and payment information may be stored.

The company’s blog post points out that the breach did not impact any other Dropbox products and notes that there is currently no evidence that customers’ files or payment data has been accessed.

As a result of the defendant’s negligence, the complaint alleges, the private information of potentially millions of victims is now in the hands of data thieves, who can use it to target customers for cybercrimes, including identity theft and fraud.

Dropbox Sign lacked “even the most basic” cybersecurity protocols, lawsuit says

According to the DropBox Sign data breach lawsuit, the cyberattack was a direct result of Dropbox’s failure to maintain adequate data security practices necessary to protect customer information from what was purportedly a “foreseeable threat.” The suit contends that, for one, the cloud storage company did not adequately monitor its computer network for unauthorized activity.

“Had Dropbox properly monitored these electronic systems, [it] would have discovered the intrusion sooner or prevented it altogether,” the case contests.

In addition, the filing claims that the harm suffered by impacted consumers is compounded by the fact that Dropbox delayed notifying victims about the exposure of their data. Although the company claims to have learned of the breach on April 24, 2024, the process of notifying victims is still underway, Dropbox’s blog post says.

The notification delay kept Dropbox data breach victims from taking timely measures that may have negated or softened the harm from the cyberattack, the filing relays. The Dropbox data breach notice itself fails to disclose how the company discovered encrypted files on its systems were impacted, the “means and mechanism” of the cyberattack, and why there was a delay in notifying victims, the complaint adds.

“Dropbox’s failure to timely notify the victims of its Data Breach prevented [the plaintiff] and Class Members from taking swift affirmative measures to prevent or mitigate the resulting harm, including but not limited to changing their passwords and monitoring accounts for unauthorized activity,” the lawsuit asserts.

The filing stresses that impacted individuals will now have to closely monitor their financial accounts and likely pay significant out-of-pocket costs to protect themselves from identity theft and fraud.

“Dropbox is no stranger to data breaches,” suit says

According to the case, lax data security on Dropbox’s part has led to numerous prior incidents since the company’s inception in 2007. Between a 2012 data breach that compromised the information of 68 million users—said to be the “biggest hack in cloud storage history”—and a more recent 2022 phishing attack involving stolen employee credentials, Dropbox has a storied history of cybersecurity incidents and unauthorized data disclosure, the complaint contends.

Who does the Dropbox lawsuit look to cover?

The Dropbox data breach lawsuit looks to represent anyone in the United States whose private information was compromised as a result of the Dropbox Sign data breach, including those who were sent a notice of the incident.

My info was exposed in the Dropbox Sign data breach. How do I join the lawsuit?

There’s usually nothing you need to do to join or add your name to a class action lawsuit when it’s first filed. The time to act is normally if and when the lawsuit settles, at which time people covered by the settlement—known as class members—may receive direct notice of the deal via email or regular mail with details about their rights and instructions on what to do next.

Remember, it often takes months or even years for a class action lawsuit to be resolved.

If your personal information was involved in the Dropbox Sign data breach, or you simply want to stay in the loop on class action lawsuit and settlement news, sign up for ClassAction.org’s free weekly newsletter.

Are you owed unclaimed settlement money? Check out our class action rebates page full of open class action settlements.