IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Dropbox confirms hackers stole 130 code repositories in GitHub phishing campaign

The attackers carried out a phishing attack and gained employee login credentials to CircleCI, which they then used to access GitHub

Dropbox has confirmed it was the target of a phishing campaign which saw the company expose 130 of its own code repositories on GitHub which were then copied.

Although the attacker gained access to the repositories, they didn’t contain any code for any of its core apps or infrastructure, it said.

Related Resource

Database and big data security

KuppingerCole 2021 Leadership Compass Report

Whitepaper cover with black header image with logo and title, and contributors photoFree Download

Instead, the repositories contained copies of third-party libraries modified for use by Dropbox, some tools, internal prototypes, and configuration files used by the security team.

In a public advisory on Tuesday, the company said that it was notified by GitHub on 14 October 2022 that there was some suspicious behaviour on its account that took place the previous day.

Dropbox said that the attacker never had access to the contents of users’ Dropbox accounts, passwords, or payment information, but it found evidence of access to code containing some credentials, mainly API keys utilised by developers.

The code and data also included thousands of names and email addresses belonging to employers, past and present customers, sales leads, and vendors.

Dropbox discovered that an attacker had accessed its account by impersonating software management platform CircleCI which it uses "for select internal deployments" but "the risk to customers is minimal", it said. 

In September 2022, GitHub notified users of a phishing campaign active since 16 September. The emails mimicked notifications appearing to come from CircleCI which encouraged users to accept updated user terms and privacy policy by signing into GitHub through CircleCI.

The file-hosting service explained that it uses GitHub to host public as well as private repositories. It said that its employees received phishing emails in early October impersonating CircleCI, with the aim of targeting Dropbox’s GitHub accounts since users are able to enter CircleCI with their GitHub credentials.

Phishing emails are usually automatically quarantined, it said, but this time some slipped past Dropbox’s defences and landed into employees’ inboxes.

The emails appeared to look legitimate and took users to a fake CircleCI login page where they were directed to enter their GitHub credentials. Following this, they then entered their hardware authentication key to approve a one-time password (OTP).

This gave the attackers access to one of Dropbox’s organisation accounts where they copied 130 of its code repositories.

“We take our commitment to protecting the privacy of our customers, partners, and employees seriously, and while we believe any risk to them is minimal, we have notified those affected,” said the company.

When Dropbox was informed of the suspicious activity, the attackers’ access to GitHub was disabled. Security teams were able to investigate the exposed developer credentials and determine what data was accessed or stolen. It also hired external forensic experts to verify its findings and reported the attack to regulators and law enforcement.

In response to the attack, Dropbox is speeding up its adoption of WebAuthn, an API that allows for simple and secure user authentication by using registered devices as factors. It also uses public key cryptography to protect users from advanced phishing attacks.

Soon, Dropbox’s whole environment will be protected by WebAuthn through biometric factors or hardware tokens.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022