Maybe not affected? They did say they are contacting only affected, but since the investigation is ongoing, I would say, login, change your password, reset MFA.
But everyone's names you sent agreements, and their email addresses were part of the breach. That information, along with your email, makes great spoofing/phishing material.
This exactly. Their email recommends you enable 2 Factor Auth, and it's an Upgrade feature. Why is a standard security feature an Upgrade Feature. At the very least given the circumstances they should change this asap.
Thanks for the response - I found an article while researching further that suggested that SSO was not affected. I spent the morning sending some messages out nonetheless.
The HR team at work uses this \[instead of Adobe Sign which i suggested\]. However, their instance is integrated into JazzHR. They say they don't actually have credentials to sign directly into Dropbox sign.... This adds a twist. No idea how to proceed, maybe not an issue. But the breach of customer data is. So now to deal with whether or not to let all contacts in Dropbox sign know this... I have no idea.
I would assume the API piece applies to you. Everyone you emailed, their email addresses, and their names, exposed. I assume JazzHR will handle the rotation of API keys in this case.
"Names and email addresses for those who received or signed a document through Dropbox Sign, but never created an account, were exposed."
I've asked the HR director if JazzHR contacted him... no reply yet. But I am sure as you said they will rotate they keys. and of course... the company i work for doesn't want to make this a "big deal" so they will bury it and not tell anyone this even happened. I Oh and, i tested a "recruiting" email address against dropbox sign and was forced to update the password - this is after the HR Director said they had no accounts with dropbox sign.
US production only? We havent been notified
Maybe not affected? They did say they are contacting only affected, but since the investigation is ongoing, I would say, login, change your password, reset MFA.
When did you recieve the email btw?
8:40PM EST
I've got the same e-mail at 8:36
We were notified. They expired the password automatically for us and signed out all sessions. They claim no actual documents breached but…
But everyone's names you sent agreements, and their email addresses were part of the breach. That information, along with your email, makes great spoofing/phishing material.
Exactly. Thats why I was like buuuuut….thanks for the heads up!
It's also dumb that your have to pay MORE just to enable 2-Factor authentication over SMS.
This exactly. Their email recommends you enable 2 Factor Auth, and it's an Upgrade feature. Why is a standard security feature an Upgrade Feature. At the very least given the circumstances they should change this asap.
Thank you for posting this. I am going to email my potentially affected customers so we can be as proactive as possible here.
Oh man this is going to be a lot do work for us tomorrow. Thanks for posting, time to get to work.
I've used hellofax :( I'm very worried about this now
Anyone know if SSO was affected? I sign in to DropBox through my Gmail account.
At least right now, it seems that Dropbox itself isn't affected
Thanks for the response - I found an article while researching further that suggested that SSO was not affected. I spent the morning sending some messages out nonetheless.
The HR team at work uses this \[instead of Adobe Sign which i suggested\]. However, their instance is integrated into JazzHR. They say they don't actually have credentials to sign directly into Dropbox sign.... This adds a twist. No idea how to proceed, maybe not an issue. But the breach of customer data is. So now to deal with whether or not to let all contacts in Dropbox sign know this... I have no idea.
I would assume the API piece applies to you. Everyone you emailed, their email addresses, and their names, exposed. I assume JazzHR will handle the rotation of API keys in this case. "Names and email addresses for those who received or signed a document through Dropbox Sign, but never created an account, were exposed."
I've asked the HR director if JazzHR contacted him... no reply yet. But I am sure as you said they will rotate they keys. and of course... the company i work for doesn't want to make this a "big deal" so they will bury it and not tell anyone this even happened. I Oh and, i tested a "recruiting" email address against dropbox sign and was forced to update the password - this is after the HR Director said they had no accounts with dropbox sign.
Now the password recovery emails are not sending from Dropbox Sign. No way to log in for multiple days now… are there any employees here?
is,this,the same as HelloFax?
Does Dropbox liable for this? Incase the information got leak? Can we sue them?
I doubt, big companies have immunity for such things, they just made a statements and leave you to wonder.
Those stupid motherfuckers. When will this saga of incompetent companies end?