Class actions over the 2024 Dropbox Sign breach: negligence and delayed-notice claims

Dropbox disclosed on 1 May 2024 that an attacker had accessed the production environment of Dropbox Sign (formerly HelloSign), exposing customer data including emails, usernames, phone numbers, hashed passwords, and authentication information such as API keys, OAuth tokens, and MFA details. (The breach mechanics are covered separately; this entry concerns the litigation that followed.)

In the weeks after the disclosure, affected users filed proposed class-action lawsuits in the U.S. District Court for the Northern District of California. Plaintiffs including a Florida resident and a California resident alleged that Dropbox failed to implement adequate and reasonable data-security measures, did not encrypt sensitive information, and did not provide prompt and accurate notice of the breach. The complaints asserted theories such as negligence and sought damages, attorneys' fees, and injunctive relief — including demands that Dropbox fund long-term credit monitoring and submit to annual security audits. The suits were subsequently consolidated into a single class action in the Northern District of California.

These filings are allegations; as of this writing there is no public record of a finding of liability against Dropbox or of a final approved settlement in the consolidated case. The matter remains a live, post-2024 legal exposure tied to the breach.