---
schema_version: "secwatch.filing_event.v1"
accession: "0001467623-24-000024"
form_type: "8-K"
ticker: "DBX"
cik: "0001467623"
company_name: "DROPBOX, INC."
filed_at: "2024-05-01T23:59:59+00:00"
generated_at: "2026-06-03T02:41:14.415576+00:00"
event_type: "cyber"
sentiment: "negative"
materiality_score: 0.3
calibrated_materiality_score: 0.3
confidence: "high"
source: SEC EDGAR
---

# Dropbox reports unauthorized access to Dropbox Sign production environment affecting user data

## Summary
- Threat actor accessed Dropbox Sign customer data including emails, usernames, phone numbers, hashed passwords, and authentication tokens.
- Incident discovered on April 24, 2024; no evidence of access to account contents (documents/agreements) or payment information.
- Dropbox believes the breach is isolated to Dropbox Sign infrastructure and did not affect other products like Dropbox cloud storage.
- Company reset passwords, logged out users, rotated API keys and OAuth tokens, and notified law enforcement and regulators.
- Dropbox states the incident has not had and is not reasonably likely to have a material impact on financial condition or operations.

## SEC filing metadata
- accession: 0001467623-24-000024
- form_type: 8-K
- ticker: DBX
- cik: 0001467623
- company_name: DROPBOX, INC.
- filed_at: 2024-05-01T23:59:59+00:00
- event_type: cyber
- sentiment: negative
- materiality_score: 0.3
- calibrated_materiality_score: 0.3
- confidence: high
- sec_items: 1.05, 7.01, 9.01
- EDGAR index: https://www.sec.gov/Archives/edgar/data/1467623/000146762324000024/0001467623-24-000024-index.htm
- EDGAR primary document: https://www.sec.gov/Archives/edgar/data/1467623/000146762324000024/dbx-20240429.htm

## Machine-readable alternates
- HTML: https://secwatch.observer/filing/0001467623-24-000024
- JSON: https://secwatch.observer/filing/0001467623-24-000024.json
- Plain text: https://secwatch.observer/filing/0001467623-24-000024.txt

## Key facts
- Cybersecurity Incidents
  DROPBOX, INC. disclosed a cybersecurity incident: Unauthorized access to the Dropbox Sign (formerly HelloSign) production environment, accessing user data such as emails, usernames, account settings, and for some users phone numbers, hashed passwords, and authentication information. Impact: No evidence of access to user account contents or payment information; incident limited to Dropbox Sign infrastructure; no material impact on overall business operations determined. Company determined it not material. Discovered 2024-04-24.
  - Nature: Unauthorized access to the Dropbox Sign (formerly HelloSign) production environment, accessing user data such as emails, usernames, account settings, and for some users phone numbers, hashed passwords, and authentication information.
  - Impact: No evidence of access to user account contents or payment information; incident limited to Dropbox Sign infrastructure; no material impact on overall business operations determined.
  - Materiality: not material
  - Discovery: 2024-04-24
  source text: On April 24, 2024, Dropbox, Inc. (“ Dropbox ” or “ we ”) became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment.
  evidence_url: https://www.sec.gov/Archives/edgar/data/1467623/000146762324000024/0001467623-24-000024-index.htm

This AI-assisted summary is a reading aid. Review the linked SEC EDGAR filing before relying on any specific claim.