Threat actors used employee login information they had obtained through phishing to log into one of Dropbox’s GitHub accounts, where they stole 130 code projects. As a result, Dropbox announced a security breach.
Both some of Dropbox’s private repositories and its public repositories are hosted on GitHub. Additionally, they employ CircleCI for a few internal deployments. Early in October, phishing emails pretending to be from CircleCI were sent to many Dropbox employees with the goal of stealing GitHub accounts (a person can use their GitHub credentials to login to CircleCI).
While some of these emails were automatically quarantined by security systems, others found their way into employees’ inboxes. These convincing emails instructed recipients to access a fictitious CircleCI login page, log in with their GitHub credentials, and then use their physical authentication key to access the system.
Through a fake CircleCI login page, employees were instructed to input their GitHub username and password before using their physical authentication key to send a One Time Password (OTP) to the phishing site. The malicious actors finally gained access to one of the GitHub groups through this, and they then copied 130 of their source repositories there.
Internal prototypes, copies of third-party libraries that had been marginally altered for usage by Dropbox, as well as several tools and configuration files needed by the security team, were all stored in these repositories. It’s important to note that they omitted the infrastructure or core app code. These repositories’ access is significantly more restricted and tightly regulated.
The contents of anyone’s Dropbox account, their password, or their payment details were never available to this malicious attacker. As of this point, research has shown that some credentials—primarily, API keys—used by Dropbox developers were included in the code that this malicious actors was able to access. A few thousand names and email addresses of Dropbox staff, clients, sales prospects, and vendors were also contained in the code and the data around it (for context, Dropbox has more than 700 million registered users).
We are aware that people are unable to identify every phishing technique. Many people’s jobs need them to regularly click links and view attachments. Even the most suspicious and watchful expert might be duped by a skillfully prepared message spread at the ideal moment. The strongest defense against these sorts of attacks continues to be technological restrictions and cyber security awareness training, which is precisely why phishing is still so successful. The more complex threats evolve, the more crucial these measures become.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.