Dropbox disclosed a security breach after threat actors stole 130 code repositories after gaining access to one of its GitHub accounts using stolen employee credentials in a phishing attack.
The company discovered that the account was breached by the attackers on October 14, when GitHub notified it of suspicious activity, which began a day before that alert was sent.
Dropbox private code was stolen via a phishing attack
This leak was the result of a phishing attack that targeted several Dropbox employees, using emails masquerading as CircleCI’s continuous integration and delivery platform, redirecting them to a fake login page, where they were asked to to enter their GitHub username and password, a platform from where the attackers managed to access part of the code stored by the company. On the same phishing page, employees were also asked to “use their hardware authentication key to pass a one-time password (OTP).”
To give peace of mind to its more than 700 million registered users, Dropbox issued a statement in which they ensure that “no one’s content, passwords, or payment information was accessed, and the issue was quickly resolved”. Similarly, they clarified that Dropbox’s main applications and infrastructure were also not affected, since access to that code is even more limited and subject to stricter controls. “We believe that the risk for customers is minimal”They emphasized their message.
So far, the investigation carried out by Dropbox on this case has detected that the code accessed by the attacker contained some credentials (mainly API keys) used by the Dropbox developer team. Among these data, they were also compromised a few thousand names and email addresses, belonging to Dropbox employees, current and former customers, sales leads, and vendors. And even though the company says the risk is negligible for the affected accounts, they were notified anyway.
Compromised code repositories “included our own copies of third-party libraries, slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team”as they say from the company. “Importantly, they did not include code for our core applications or infrastructure. Access to those repositories is even more limited and strictly controlled.”they added.
In addition, Dropbox assured that the attackers were never able to access their customers’ accounts, passwords, or payment information, further noting that their core applications and infrastructure were not compromised as a result of this attack.
As a security measure taken in response to this situation, the company also announced the strengthening of its security systems, protecting all access to its environment through WebAuthn and hardware tokens or biometric factors.
