Dropbox announced that 130 GitHub repositories were stolen via a data breach. The breach occurred following a successful phishing attack.
Dropbox reveals security flaw
It has been announced that Dropbox, the popular file sharing and collaboration platform, has suffered a data breach. In this breach, a malicious actor stole 130 private GitHub code repositories (or archives) via a phishing attack.
In a Dropbox.Tech Publishing, the company’s security team said these stolen repositories included “certain credentials – primarily API keys – used by Dropbox developers.” The team also noted that “the code and data around it also includes a few thousand names and email addresses belonging to Dropbox employees, current and past customers, prospects and vendors.”
Dropbox has since disabled the threat actor’s access to GitHub (a code hosting, sharing, and development platform), and its team is working quickly to determine if any customer data was stolen and determine the ” rotation of all exposed developer credentials”.
The threat actor impersonated an official body
In this Dropbox phishing attack, the threat actor posed as a CirclCI staff member. Dropbox uses CirclCI, an integration and delivery platform, for some of its internal deployments. Beginning in October, Dropbox users began receiving emails from senders claiming to be from CirclCI. This is common in phishing attacks.
A Dropbox employee’s GitHub credentials can also be used to access their CircleCI account, which is why the threat actor impersonated CircleCI in this case. Dropbox was able to intercept some phishing emails before they reached staff, but not all.
When the targeted person received the email, they received a link to a malicious website designed to steal both their GitHub credentials and their hardware authentication key. These websites are designed to look almost like the official login pages.
Using this information, the attacker was able to access the GitHub account and steal repositories. It is not known how many Dropbox employees fell victim to this phishing campaign.
The contents of the Dropbox account were not stolen
In the aforementioned message, Dropbox assured users that no kind of customer data, such as passwords or payment details, was stolen in the attack. In addition to this, Dropbox said the threat actor did not steal any code for its core applications and infrastructure.
Following this flaw, Dropbox announced that its entire platform will soon be “secured by WebAuthn with hardware tokens or biometric factors”.
Phishing attacks can fool even experienced people
Phishing attacks have become more and more sophisticated over the years, to the point that it is now difficult to detect a malicious email or website. However, it is still crucial to employ adequate security measures, such as anti-virus software and spam filters, to protect yourself as much as possible from phishing scams.