Search the Dropbox Watchdog archive
An attacker compromised the production environment of Dropbox Sign (formerly HelloSign), exposing customer emails, usernames, phone numbers, hashed passwords, and authentication secrets including API keys, OAuth tokens, and MFA data.
A federal judge compelled the users suing over the 2024 Dropbox Sign breach into individual arbitration — finding that by clicking 'I agree' to sign a document they had accepted Dropbox's terms — and then denied reconsideration, effectively shutting the class action out of court.
After Dropbox disclosed the April 2024 Dropbox Sign breach, affected users filed proposed class actions in federal court alleging Dropbox negligently failed to protect their data and did not give prompt, adequate notice; the claims are allegations and the consolidated litigation followed in the Northern District of California.
Within weeks of the Dropbox Sign breach disclosure, users filed a proposed class action in California federal court alleging Dropbox failed to protect their data and was slow to notify them.
Following the 2024 Dropbox Sign breach, affected users filed proposed class-action lawsuits accusing Dropbox of failing to secure their data and of notifying victims too slowly. Dropbox has contested the claims, arguing the exposed data poses no identity-theft risk.
Dropbox Sign (formerly HelloSign) is sold as a wholly separate subscription — a free tier capped at three documents per month, then Essentials at about $15, Standard at about $25, and Premium at roughly $40 per user per month — so existing Dropbox storage customers must pay again, per seat, to sign documents.
Before Dropbox acquired HelloSign in 2019, a patent-assertion entity called Digital Verification Systems had sued HelloSign over an electronic-signature patent — one of a wave of near-identical suits — leaving Dropbox to inherit the dispute along with the company.