Dropbox has revealed details of a phishing attack it fell victim to. In the attack, the threat actor was able to steal code from the company after collecting employee credentials in a GitHub repository.
The security breach occurred in the middle of last month when GitHub notified Dropbox of suspicious account activity on October 14. The cloud storage company says “the accessed code contained some credentials — primarily API keys — from developers using Dropbox” but insists that “no one’s content, passwords or payment information was accessed” and that its core apps and infrastructure were not affected.
Elaborating on the incident in a blog post, Dropbox says: “In today’s evolving threat landscape, people are inundated with messages and notifications, making it difficult to identify phishing lures. Threat actors have gone beyond just extracting usernames and passwords. Multi-factor authentication codes are also Removing. In September, GitHub detailed a similar phishing campaign, in which a threat actor impersonated code integration and delivery platform CircleCI and accessed GitHub accounts. We recently learned that Dropbox was targeted by a similar campaign.
The company continues:
On October 14, 2022, GitHub alerted us to some suspicious behavior that started the previous day. Upon further investigation, we discovered that a threat actor — also pretending to be CircleCI — accessed one of our GitHub accounts.
At no point did this threat actor have access to anyone’s Dropbox account content, their password, or their payment information. To date, our investigation has determined that the code accessed by this threat actor contains some of the credentials — primarily API keys — used by Dropbox developers. The code and the data surrounding it also include a few thousand names and email addresses of Dropbox employees, current and past customers, sales leads, and vendors (for reference, Dropbox has over 700 million registered users). We take our commitment to protecting the privacy of our customers, partners and employees seriously, and while we believe any risk to them is minimal, we have notified those affected.
Dropbox further explains that it uses GitHub to host both public and private repositories, and that it uses CircleCI to “select internal deployments.” A threat actor posing as a CircleCI representative was able to extract login credentials from Dropbox employees.
In total, the attacker was able to access 130 code repositories before access was blocked. Dropbox says:
These repositories include our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team. Importantly, they don’t include code for our native apps or infrastructure. Access to those repositories is more limited and strictly controlled.
Dropbox says it is using a third party to conduct additional checks to ensure no customer data is involved, and that it is accelerating adoption of WebAuthn — which it describes as the “gold standard” of multi-factor authentication tools.
More information is available in Dropbox’s blog post.
Image credit: [email protected] / deposit photo