Dropbox Sign for integrators: the HelloSign rebrand, then a breach that rotated their keys
2022 rebrand; 2024 breach fallout
The HelloSign API was rebranded to the Dropbox Sign API in 2022, and after the 2024 Dropbox Sign breach the company rotated API keys and OAuth tokens — meaning developers who had embedded e-signature functionality had to update credentials and re-establish connections, not just rename a product.
What happened
Dropbox acquired HelloSign in 2019 and, in October 2022, rebranded it to Dropbox Sign — the HelloSign API became the Dropbox Sign API. Dropbox told developers the rebrand itself was low-impact: existing integrations would keep working with 'HelloSign' simply replaced by 'Dropbox Sign,' and credentials were unchanged. Companion products were renamed too (HelloFax to Dropbox Fax, HelloWorks to Dropbox Forms).
The more serious consequence for integrators came later. In the April–May 2024 Dropbox Sign security incident, an attacker reached the Dropbox Sign customer database and exposed authentication material including API keys, OAuth tokens, and MFA data. In response Dropbox reset passwords, logged users out, and rotated API keys and OAuth tokens. (The breach as a security event is covered by the existing 2024-dropbox-sign-breach entry; the developer angle is distinct.) For any application that had embedded Dropbox Sign signing into its own product, that rotation was a forced break: previously working API keys and tokens stopped working, and developers had to obtain and deploy new credentials and re-authorize OAuth connections to restore their e-signature flows.
Impact
Integrators of Dropbox Sign experienced the rebrand as cosmetic but the 2024 breach response as operationally disruptive — a mandatory credential rotation that broke live signing integrations until updated. It illustrates how a security incident in one acquired product cascades into unplanned engineering work for every third party that built on its API, compounding the developer-trust cost of the breach itself.