Dropbox has confirmed it was the target of a phishing campaign which saw the company expose 130 of its own code repositories on GitHub which were then copied.
Although the attacker gained access to the repositories, they didn’t contain any code for any of its core apps or infrastructure, it said.
Instead, the repositories contained copies of third-party libraries modified for use by Dropbox, some tools, internal prototypes, and configuration files used by the security team.
In a public advisory on Tuesday, the company said that it was notified by GitHub on 14 October 2022 that there was some suspicious behaviour on its account that took place the previous day.
Dropbox said that the attacker never had access to the contents of users’ Dropbox accounts, passwords, or payment information, but it found evidence of access to code containing some credentials, mainly API keys utilised by developers.
The code and data also included thousands of names and email addresses belonging to employers, past and present customers, sales leads, and vendors.
Dropbox discovered that an attacker had accessed its account by impersonating software management platform CircleCI which it uses "for select internal deployments" but "the risk to customers is minimal", it said.
In September 2022, GitHub notified users of a phishing campaign active since 16 September. The emails mimicked notifications appearing to come from CircleCI which encouraged users to accept updated user terms and privacy policy by signing into GitHub through CircleCI.
The file-hosting service explained that it uses GitHub to host public as well as private repositories. It said that its employees received phishing emails in early October impersonating CircleCI, with the aim of targeting Dropbox’s GitHub accounts since users are able to enter CircleCI with their GitHub credentials.
Phishing emails are usually automatically quarantined, it said, but this time some slipped past Dropbox’s defences and landed into employees’ inboxes.
The emails appeared to look legitimate and took users to a fake CircleCI login page where they were directed to enter their GitHub credentials. Following this, they then entered their hardware authentication key to approve a one-time password (OTP).
This gave the attackers access to one of Dropbox’s organisation accounts where they copied 130 of its code repositories.
“We take our commitment to protecting the privacy of our customers, partners, and employees seriously, and while we believe any risk to them is minimal, we have notified those affected,” said the company.
When Dropbox was informed of the suspicious activity, the attackers’ access to GitHub was disabled. Security teams were able to investigate the exposed developer credentials and determine what data was accessed or stolen. It also hired external forensic experts to verify its findings and reported the attack to regulators and law enforcement.
In response to the attack, Dropbox is speeding up its adoption of WebAuthn, an API that allows for simple and secure user authentication by using registered devices as factors. It also uses public key cryptography to protect users from advanced phishing attacks.
Soon, Dropbox’s whole environment will be protected by WebAuthn through biometric factors or hardware tokens.
