Washington, D.C. 20549

Form 8-K

Pursuant to Section 13 or 15(d)
of the Securities Exchange Act of 1934

April 29, 2024
Date of Report (date of earliest event reported)
(Exact name of Registrant as specified in its charter)
(State or other jurisdiction of incorporation)(Commission File Number)(I. R. S. Employer Identification No.)

1800 Owens St.
San Francisco, California 94158
(Address of principal executive offices)
(415) 930-7766
(Registrant’s telephone number, including area code)
(Former name or former address, if changed since last report)

Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions (see General Instruction A.2. below):
    Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)

    Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)

    Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))

    Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))

Securities registered pursuant to Section 12(b) of the Act:
Title of each classTrading Symbol(s)Name of exchange on which registered
Class A Common Stock, par value $0.00001 per shareDBXThe NASDAQ Stock Market LLC
(Nasdaq Global Select Market)

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).

Emerging growth company 
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. 

Item 1.05     Material Cybersecurity Incidents

On April 24, 2024, Dropbox, Inc. (“Dropbox” or “we”) became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. We immediately activated our cybersecurity incident response process to investigate, contain, and remediate the incident. Upon further investigation, we discovered that the threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings. For subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication. Based on what we know as of the date of this filing, there is no evidence that the threat actor accessed the contents of users’ accounts, such as their agreements or templates, or their payment information. Additionally, we believe this incident was limited to Dropbox Sign infrastructure and there is no evidence that the threat actor accessed the production environments of other Dropbox products. We are continuing our investigation.

When we became aware of the incident, we launched an investigation with industry-leading forensic investigators to understand what happened and mitigate risks to our users. We have notified and are working with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.

As of the date of this filing, the incident has not had, and we do not believe it is reasonably likely to have, a material impact on our overall business operations, given our current understanding that this incident is limited to the Dropbox Sign infrastructure. We have not determined that the incident is reasonably likely to materially impact our financial condition or results of operations. We remain subject to various risks due to the incident, including potential litigation, changes in customer behavior, and additional regulatory scrutiny. Our remediation efforts are ongoing.

Forward-Looking Statements

This Form 8-K contains forward-looking statements as defined in the Private Securities Litigation Reform Act of 1995. Such forward-looking statements include statements regarding our ongoing investigation of the cybersecurity incident, the nature and known extent of the incident, the isolation of the incident to our Dropbox Sign infrastructure, Dropbox’s mitigation and remediation efforts, the potential disruption to our business or operations, and the potential impact on our operations, financial conditions, and results. These statements involve certain risks and uncertainties that may cause actual results to differ materially from expectations as of the date of this release. Among the factors that could cause actual results to differ materially from those indicated in the forward-looking statements are risks and uncertainties associated with the ongoing investigation of the incident, risks related security breaches or incidents, as well as other risks listed or described from time to time in Dropbox’s filings with the Securities and Exchange Commission (the “SEC”), including Dropbox’s Annual Report on Form 10-K filed with the SEC on February 16, 2024. All forward-looking statements are based on information and estimates available to Dropbox at the time of this Current Report on Form 8-K and are not guarantees of future performance. Except as required by law, Dropbox assumes no obligation to update any of the statements in this Current Report on Form 8-K.

Item 7.01     Regulation FD Disclosure

On May 1, 2024, Dropbox posted a blog regarding the incident. A copy of the blog is furnished as Exhibit 99.1 to this report.

The information in this Item 7.01 and Exhibit 99.1 shall not be deemed to be “filed” for purposes of Section 18 of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), or otherwise subject to the liability of that section, and shall not be incorporated by reference into any registration statement or other document filed under the Securities Act of 1933, as amended, or the Exchange Act, except as shall be expressly set forth by specific reference in such filing.

Item 9.01     Financial Statements and Exhibits

(d) Exhibits:
Exhibit No.Exhibit Description
104.0Cover Page Interactive Data File (embedded within the Inline XBRL document).


Pursuant to the requirements of the Securities Exchange Act of 1934, as amended, the Registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.

Dated: May 1, 2024

Dropbox, Inc.
/s/ Bart Volkmer
Bart Volkmer
Chief Legal Officer