Dropbox confirms hackers stole 130 code repositories in GitHub phishing campaign

Email sign with a fish hook on blue digital background
(Image credit: Shutterstock)

Dropbox has confirmed it was the target of a phishing campaign which saw the company expose 130 of its own code repositories on GitHub which were then copied.

Although the attacker gained access to the repositories, they didn’t contain any code for any of its core apps or infrastructure, it said.


Database and big data security

KuppingerCole 2021 Leadership Compass Report


Instead, the repositories contained copies of third-party libraries modified for use by Dropbox, some tools, internal prototypes, and configuration files used by the security team.

In a public advisory on Tuesday, the company said that it was notified by GitHub on 14 October 2022 that there was some suspicious behaviour on its account that took place the previous day.

Dropbox said that the attacker never had access to the contents of users’ Dropbox accounts, passwords, or payment information, but it found evidence of access to code containing some credentials, mainly API keys utilised by developers.

The code and data also included thousands of names and email addresses belonging to employers, past and present customers, sales leads, and vendors.

Dropbox discovered that an attacker had accessed its account by impersonating software management platform CircleCI which it uses "for select internal deployments" but "the risk to customers is minimal", it said.

In September 2022, GitHub notified users of a phishing campaign active since 16 September. The emails mimicked notifications appearing to come from CircleCI which encouraged users to accept updated user terms and privacy policy by signing into GitHub through CircleCI.

The file-hosting service explained that it uses GitHub to host public as well as private repositories. It said that its employees received phishing emails in early October impersonating CircleCI, with the aim of targeting Dropbox’s GitHub accounts since users are able to enter CircleCI with their GitHub credentials.

Phishing emails are usually automatically quarantined, it said, but this time some slipped past Dropbox’s defences and landed into employees’ inboxes.

The emails appeared to look legitimate and took users to a fake CircleCI login page where they were directed to enter their GitHub credentials. Following this, they then entered their hardware authentication key to approve a one-time password (OTP).

This gave the attackers access to one of Dropbox’s organisation accounts where they copied 130 of its code repositories.

“We take our commitment to protecting the privacy of our customers, partners, and employees seriously, and while we believe any risk to them is minimal, we have notified those affected,” said the company.

When Dropbox was informed of the suspicious activity, the attackers’ access to GitHub was disabled. Security teams were able to investigate the exposed developer credentials and determine what data was accessed or stolen. It also hired external forensic experts to verify its findings and reported the attack to regulators and law enforcement.

In response to the attack, Dropbox is speeding up its adoption of WebAuthn, an API that allows for simple and secure user authentication by using registered devices as factors. It also uses public key cryptography to protect users from advanced phishing attacks.

Soon, Dropbox’s whole environment will be protected by WebAuthn through biometric factors or hardware tokens.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.