Dropbox confirms hackers stole 130 code repositories in GitHub phishing campaign
The attackers carried out a phishing attack and gained employee login credentials to CircleCI, which they then used to access GitHub
Dropbox has confirmed it was the target of a phishing campaign which saw the company expose 130 of its own code repositories on GitHub which were then copied.
Although the attacker gained access to the repositories, they didn’t contain any code for any of its core apps or infrastructure, it said.
Database and big data security
KuppingerCole 2021 Leadership Compass ReportFree Download
Instead, the repositories contained copies of third-party libraries modified for use by Dropbox, some tools, internal prototypes, and configuration files used by the security team.
In a public advisory on Tuesday, the company said that it was notified by GitHub on 14 October 2022 that there was some suspicious behaviour on its account that took place the previous day.
Dropbox said that the attacker never had access to the contents of users’ Dropbox accounts, passwords, or payment information, but it found evidence of access to code containing some credentials, mainly API keys utilised by developers.
The code and data also included thousands of names and email addresses belonging to employers, past and present customers, sales leads, and vendors.
Dropbox discovered that an attacker had accessed its account by impersonating software management platform CircleCI which it uses "for select internal deployments" but "the risk to customers is minimal", it said.
The file-hosting service explained that it uses GitHub to host public as well as private repositories. It said that its employees received phishing emails in early October impersonating CircleCI, with the aim of targeting Dropbox’s GitHub accounts since users are able to enter CircleCI with their GitHub credentials.
Phishing emails are usually automatically quarantined, it said, but this time some slipped past Dropbox’s defences and landed into employees’ inboxes.
The emails appeared to look legitimate and took users to a fake CircleCI login page where they were directed to enter their GitHub credentials. Following this, they then entered their hardware authentication key to approve a one-time password (OTP).
This gave the attackers access to one of Dropbox’s organisation accounts where they copied 130 of its code repositories.
“We take our commitment to protecting the privacy of our customers, partners, and employees seriously, and while we believe any risk to them is minimal, we have notified those affected,” said the company.
When Dropbox was informed of the suspicious activity, the attackers’ access to GitHub was disabled. Security teams were able to investigate the exposed developer credentials and determine what data was accessed or stolen. It also hired external forensic experts to verify its findings and reported the attack to regulators and law enforcement.
In response to the attack, Dropbox is speeding up its adoption of WebAuthn, an API that allows for simple and secure user authentication by using registered devices as factors. It also uses public key cryptography to protect users from advanced phishing attacks.
Soon, Dropbox’s whole environment will be protected by WebAuthn through biometric factors or hardware tokens.
2022 State of the multi-cloud report
What are the biggest multi-cloud motivations for decision-makers, and what are the leading challengesFree Download
The Total Economic Impact™ of IBM robotic process automation
Cost savings and business benefits enabled by robotic process automationFree Download
Multi-cloud data integration for data leaders
A holistic data-fabric approach to multi-cloud integrationFree Download
MLOps and trustworthy AI for data leaders
A data fabric approach to MLOps and trustworthy AIFree Download