Information regarding your Dropbox Sign (formerly HelloSign).

Hello, if anyone can please confirm an email received is legitimate? The email was received from "no-reply@em-s.dropbox.com" with the subject "Information regarding your Dropbox Sign (formerly HelloSign) account".  I can't find any other reference to a supposedly security breach. TIA

[Update] After I scrolled all the way down in the mail box, I found one email in 2017 which apparently that email address is (still) registered on app.hellosign.com instead of dropbox.com, how confusing. Now I am disconnecting and deleting everything relate to that email address which is online payment systems and more!!! Dropbox you're disappointing!!!

Hi. I have received an email to my other email address from no-reply@em-s.dropbox.com on May 5th regarding unauthorized access to the Dropbox sign on April 24th. I don't remember I have an account with that email address. So I try to log in in 2 different browsers with that email address but it keeps taking me to a page of sign up which means that email address isn't registered on Dropbox. How so?? The email is below :

Hello,

We’re reaching out because on April 24th, we became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. Upon further investigation, we discovered that a threat actor had accessed Dropbox Sign customer information. You are receiving this message because your information was in the data the third party accessed.

What happened
We can confirm that Dropbox Sign customer information such as emails, usernames, phone numbers, hashed passwords, multi-factor authentication, and general account settings were obtained. Based on our investigation, there is no evidence of unauthorized access to the contents of customers’ accounts (i.e. their documents or agreements), or their payment information.

What we’re doing
When we became aware of this issue, we launched an investigation with industry-leading forensic investigators to understand what happened and mitigate risks to our users. In response, our security team reset users’ passwords, logged users out of any devices they had connected to Dropbox Sign. What you can do

• Passwords and multi-factor authentication: We’ve expired your password and logged you out of any devices you had connected to Dropbox Sign to further protect your account. The next time you log in to your Sign account, you’ll be sent an email to reset your password. Customers who use an authenticator app for multi-factor authentication should reset it as soon as possible. Please delete your existing entry and then reset it. If you use SMS you do not need to take any action.

• If you reused your Dropbox Sign password on any other services, we strongly recommend that you change your password on those accounts and utilize multi-factor authentication when available. Instructions on how to do this for your Dropbox Sign account can be found here.

At Dropbox, our number one value is to be worthy of trust. We hold ourselves to a high standard when protecting our customers and their content. We didn’t live up to that standard here, and we’re deeply sorry for the impact it caused our customers. We are grateful for your partnership, and we’re here to help all of those who were impacted by this incident. For more information on this incident, how to contact us, and updates see here.

- The Dropbox team

Does anyone know about this?

https://www.darkreading.com/application-security/dropbox-breach-exposes-customer-credentials-authentication-data