Guiffre v. Dropbox: the class action over the 2024 Dropbox Sign breach

On 1 May 2024 Dropbox disclosed, in a blog post and an SEC Form 8-K, that an attacker had accessed the production environment of Dropbox Sign (its eSignature product, formerly HelloSign) and obtained customer data including emails, usernames, phone numbers, hashed passwords, API keys, OAuth tokens, and multi-factor authentication information. Notably, even people who had only received or signed a document through Sign — without ever creating an account — had their email addresses and names exposed.

Within weeks, plaintiffs filed a proposed class action, Guiffre v. Dropbox, Inc., No. 3:24-cv-02794, in the U.S. District Court for the Northern District of California. The complaint alleges that Dropbox failed to implement reasonable security measures to protect personally identifiable information and that the company learned of the unauthorized access on or about 24 April 2024 but did not notify affected users until early May, leaving them exposed to phishing, identity theft, and fraud in the interim. The suit seeks damages and injunctive relief requiring stronger security practices.

The case is one of several consumer claims arising from the Sign breach. As a proposed class action it must clear class-certification and pleading hurdles, and as with most data-breach litigation the path runs through motions over standing and concrete harm before any trial or settlement.