Dropbox confirms serious security breach in which hackers stole code from 130 GitHub repositories
Dropbox has revealed details of a phishing attack to which it fell victim. In the attack, a threat actor was able to steal code from the company after gathering employee credentials to GitHub repositories.
The security breach took place in the middle of last month, with GitHub notifying Dropbox of suspicious account activity on October 14. The cloud storage company says that the code that was accessed "contained some credentials -- primarily, API keys -- used by Dropbox developers" but insists that "no one's content, passwords, or payment information was accessed", and that its core apps and infrastructure were unaffected.
- Microsoft warns that October 2022 security updates can cause problems joining domains in Windows 11 and older
- Microsoft issues emergency patch after breaking OneDrive with Windows 10 update
- Microsoft is annoyed with security firm that discovered misconfigured server exposing sensitive customer data
In a blog post that goes into some detail about the incident, Dropbox says: "In today's evolving threat landscape, people are inundated with messages and notifications, making phishing lures hard to detect. Threat actors have moved beyond simply harvesting usernames and passwords, to harvesting multi-factor authentication codes as well. In September, GitHub detailed one such phishing campaign, in which a threat actor accessed GitHub accounts by impersonating the code integration and delivery platform CircleCI. We recently learned that Dropbox was targeted by a similar campaign.
The company continues:
On October 14, 2022, GitHub alerted us to some suspicious behavior that began the previous day. Upon further investigation, we found that a threat actor -- also pretending to be CircleCI -- accessed one of our GitHub accounts, too.
At no point did this threat actor have access to the contents of anyone’s Dropbox account, their password, or their payment information. To date, our investigation has found that the code accessed by this threat actor contained some credentials -- primarily, API keys -- used by Dropbox developers. The code and the data around it also includeda few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors (for context, Dropbox has more than 700 million registered users). We take our commitment to protecting the privacy of our customers, partners, and employees seriously, and while we believe any risk to them is minimal, we have notified those affected.
Dropbox goes on to explain that it uses GitHub to host both public and private repositories, and points out that it makes use of CircleCI for "select internal deployments". It was by pretending to be a CircleCI representative that the threat actor was able to extract login credential from Dropbox employees.
In all, the attacker was able to access 130 code repositories before access was cut off. Dropbox says:
These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team. Importantly, they did not include code for our core apps or infrastructure. Access to those repositories is even more limited and strictly controlled.
Dropbox says that it is using a third party to conduct additional investigations to ensure that no customer data was involved, and that it is accelerating its adoption of WebAuthn -- which it describes as the "gold standard" of multi-factor authentication tools.
More information is available in Dropbox's blog post here.