Dropbox Sign Security Incident

< Back to Vendor Updates

Approved Vendor Notification

On Wednesday, May 1, 2024, Dropbox Sign (formerly HelloSign) disclosed that it experienced an unauthorized access to the Dropbox Sign production environment. As the Illinois Shines program utilizes Dropbox Sign for the e-signing of Disclosure Forms, the Program Administrator received email notification of this incident. Dropbox Sign confirmed that customer information such as emails, usernames, phone numbers, and hashed passwords were accessed, as well as general account settings information and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication. Recipient names and emails were also exposed. Based on their investigation, there is no evidence of unauthorized access to the contents of customers’ accounts (i.e. documents or agreements), or their payment information. Based on this information, the Program Administrator believes that Disclosure Form data was not accessed. Dropbox Sign’s notice of the incident, including details of the incident and its investigation, its response, and customer FAQs, can be found at : https://sign.dropbox.com/blog/a-recent-security-incident-involving-dropbox-sign.

As Dropbox Sign is used by stakeholders in the Program portal, Approved Vendors are encouraged to become familiar with the details of the incident, and to share with their Designees and be prepared to support customers who may have received the Dropbox Sign communication.  At present, there is no action for Approved Vendors to currently take within the program Portal. The Program Administrator is taking all the appropriate steps to protect our system (changing our API key and having internal users with Dropbox accounts reset their passwords and MRAs).

Thank you!    
Illinois Shines Program    
[email protected]