Security incident involving Dropbox Sign

On May 1, 2024, we received a security notification from Dropbox Sign (formerly known as HelloSign), a third-party e-signature service used by ActiveCampaign. The Dropbox Sign security notification can be found here

Dropbox Sign reported that there was unauthorized access to its production environment, which exposed the names and email addresses of recipients of Dropbox Sign documents or agreements. According to Dropbox Sign, there is no evidence of unauthorized access to the contents of the documents or agreements at this time. 

ActiveCampaign was notified on May 1 and, by May 2, had completed the immediate security precautions recommended by Dropbox Sign with respect to our customer documents and agreements that use Dropbox Sign.  

What can I do to be safe going forward?

Unfortunately, phishing and spoofing attempts are on the rise. Please stay vigilant. You should be suspicious about any unsolicited emails regarding access to your ActiveCampaign account or emails that “spoof” the ActiveCampaign brand and purport to be sent from ActiveCampaign. 

Here are some additional tips to help you tell the difference between a legitimate ActiveCampaign email and a phishing or spoof email: 

  • Hover over all embedded links and check that URLs are what you expect and trust
  • Don’t open unknown or suspicious or unsolicited attachments or click such links
  • Look for misspellings, poor grammar, generic greetings, a false sense of urgency and/or a demand
  • Enable multi-factor authentication for all users on your ActiveCampaign account
  • Use strong, unique passwords for your ActiveCampaign account

ActiveCampaign will continue to monitor the situation and make available updates on this page as we diligently progress our investigation and learn more from Dropbox Sign.

Please contact us at if you have any questions or concerns. 

– ActiveCampaign Security Team

Was this article helpful?
0 out of 0 found this helpful

Have more questions? Submit a request

Start free trial