Dropbox Data Breach: How to Check if You're Affected

Who is Affected by Dropbox Data Breach?

The first thing to note is that the breach only affects Dropbox Sign users – if you’re a Dropbox cloud user, then you’re not affected, that is assuming you’re not also a Dropbox Sign user.

You may have used Dropbox Sign in the past to sign a digital document, but unless you have actually created an account with the service, then the company won’t have your details on its system. For instance, if you used ‘Sign in with Google’, then you’re in the clear. Dropbox itself has acknowledged that the Dropbox Sign infrastructure is separate from its other services, and as such issues are isolated to just Dropbox Sign accounts.

What Data Was Compromised in Dropbox Data Breach?

While no data breach is good, in this scenario, what the third party who infiltrated Dropbox’s systems got away with could have been worse.

The threat actor was able to access usernames, emails, hashed passwords, phone numbers and multi-factor authentication information.

What they didn’t have access to was the contents of customers’ accounts, such as documents, agreements, and most vital of all, payment information.

Dropbox has confirmed that it has automatically reset users’ passwords as a result, and logged them out of devices.

How to Check if You’re Affected by Dropbox Data Breach

If you’re a Dropbox Sign customer, you will be understandably concerned by the news of this breach. If you are a user of other Dropbox services, it’s worth stating again that you are unlikely to be affected.

Dropbox has stated that it is reaching out to customers who have been affected, with advice on how to mitigate the risks of the breach, so if you’re one of them, you should receive a message by the end of the week. If you want to reach out to Dropbox directly about the breach, you can contact them here.

One step you can take is to keep an eye on the excellent website www.haveibeenpwned.com, which can tell you if your personal data has been comprised and made publicly available, simply by entering your password. While we don’t know yet if this Dropbox data has made it onto the web yet, or if the threat actor is currently looking for someone to sell it to, it’s always worth checking haveibeenpwned on a regular basis.

If you were using the same password for Dropbox Sign for other sites and services, you’ll want to change these as quickly as possible, as it could mean that anyone with this information could also access other accounts you own.

Reusing passwords across multiple accounts is considered very poor practice, but juggling multiple passwords makes it an easy trap to fall in to. We suggest using a password manager for peace of mind.