As part of our commitment to updating everyone as we identify new information during our investigation, we can now confirm that only people with a DocuSign account were impacted by this incident – those who signed a document without a DocuSign account were not among the list of email addresses that were accessed maliciously. That said, even though an employee or customer of yours would not be on the list unless they had an account with DocuSign, we would still encourage you to utilize the existing materials on the DocuSign Trust Center to help them avoid being the victims of phishing.

https://trust.docusign.com/en-us/personal-safeguards/