As part of our commitment to updating everyone as we identify new information during our investigation, we can now confirm that only people with a DocuSign account were impacted by this incident – those who signed a document without a DocuSign account were not among the list of email addresses that were accessed maliciously.

That said, even though an employee or customer of yours would not be on the list unless they had an account with DocuSign, we would still encourage you to utilize the existing materials on the DocuSign Trust Center to help them avoid being the victims of phishing.

As an update to the frequently-asked questions we originally included below:

Q: Have the email addresses of my employees, customers or customers’ customers been exposed as part of this incident?A: As part of our ongoing investigation, we can now confirm that no signers were on the list of email addresses that was accessed maliciously unless they had signed up for a DocuSign account. That could include direct DocuSign customers; someone who signed a document and elected to open a DocuSign account; or someone who signed up for a DocuSign freemium account – via docusign.com, through a partner integration, or via the DocuSign mobile client.

Q: Do I need to communicate to all of them?A: We would encourage you to utilize the existing materials on the Trust Center to help your employees, customers or customers’ customers protect themselves from phishing attacks.

As always, please continue to Contact Support or call +1-800-379-9973 with any additional questions.