Dropbox has announced that 130 GitHub repositories were stolen via a data breach. The breach occurred as a result of a successful phishing attack.
Dropbox Discloses a Security Breach
It has been announced that Dropbox, the popular file-sharing and collaboration platform, has suffered a data breach. In this breach, a threat actor stole 130 private GitHub code repositories (or archives) via a phishing attack.
In a Dropbox.Tech post, the company’s security team stated that these stolen repositories included “some credentials—primarily, API keys—used by Dropbox developers”. The team also noted that “code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors.”
Dropbox has since disabled the threat actor’s access to GitHub (a code hosting, sharing, and development platform), with its team quickly working to find whether any customer data was stolen and determine the “rotation of all exposed developer credentials”.
Threat Actor Impersonated an Official Body
In this Dropbox phishing attack, the threat actor impersonated a CirclCI member of staff. Dropbox uses CirclCI, an integration and delivery platform, for some of its internal deployments. Starting in October, Dropbox users began to receive emails from senders claiming to be from CirclCI. This is commonplace in phishing attacks.
A Dropbox employee’s GitHub credentials can also be used to access their CircleCI account, which is why the threat actor impersonated CircleCI in this case. Dropbox was able to catch some phishing emails before they reached staff, but not all.
When the targeted individual received the email, they were provided a link to a malicious website designed to steal both their GitHub credentials and hardware authentication key. Such websites are designed to look almost identical to official login pages.
Using this information, the attacker was able to access the GitHub account and steal repositories. It is not known how many Dropbox staff fell victim to this phishing campaign.
Dropbox Account Content Was Not Stolen
In the aforementioned post, Dropbox assured users that no kind of customer data, such as passwords or payment details, was stolen in the attack. On top of this, Dropbox stated that the threat actor did not steal any code for its core apps and infrastructure.
As a result of this breach, Dropbox announced that its entire platform will soon be “secured by WebAuthn with hardware tokens or biometric factors”.
Phishing Attacks Can Trick Even Experienced Individuals
Phishing attacks are becoming more sophisticated as the years pass, to the point where it’s now difficult to sniff out a malicious email or website. However, it is still crucial to employ adequate security measures, such as antivirus software and spam filters, to protect yourself from phishing scams as much as possible.