Dropbox hackers steal 130 GitHub repositories

GitHub warned about a phishing campaign relating to CircleCI just three weeks before Dropbox was breached

Image:

GitHub warned about a phishing campaign relating to CircleCI just three weeks before Dropbox was breached

A phishing attack used emails pretending to be from CircleCI to target Dropbox employees

A phishing campaign targeted file hosting service Dropbox last month, enabling a malicious actor to steal employee login details for GitHub repositories and grab 130 of the company's code repositories.

The company discovered the security incident on 14th October, after GitHub alerted it to some suspicious account activity the previous day.

Dropbox says certain credentials - primarily API keys - used by its engineers were stored in the code the threat actor was able to access. Just as concerningly, several thousand names and email addresses belonging to Dropbox workers, current and former clients, sales leads and vendors were also included in the code and the data around it.

The company says that no content, passwords or payment information was accessed, and that neither its core applications nor its infrastructure were impacted.

The intrusion stemmed from a phishing attack targeting Dropbox employees, with the payload hidden in emails ostensibly from code integration and delivery platform CircleCI.

Dropbox uses CircleCI for some internal deployment. Employees access Dropbox's private code repositories using their GitHub accounts, and use the same login credentials for CircleCI.

According to Dropbox, the attack sent employees to a landing page where they were prompted to enter their GitHub credentials. They were then asked to 'use their hardware authentication key to pass a One Time Password (OTP)' on the same page. This appears to have allowed the attackers to bypass multi-factor authentication.

After stealing login credentials, the hackers were able to steal 130 of Dropbox's GitHub code repositories. The company says these included 'our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team'.

The intruder's access to the GitHub repo silo was terminated on 14th October, and the firm has since rotated all of the developer API credentials the attacker was able to access.

Dropbox brought in independent investigators, who concluded there has been no misuse of the stolen code and that 'the risk to customers is minimal'.

A warning too late

GitHub had issued a warning about phishing attempts that included impersonating CircleCI, just three weeks prior to the attack.

Dropbox says it was already taking steps to prevent incidents of this kind by updating its two-factor authentication systems, and that it will soon start using hardware tokens or biometric factors across its environment ('Closing the stable door after the horse has bolted' comes to mind - Ed.).

The company has tried to speak up for itself, but a defence of 'It could have happened to anyone' is unlikely to hold much weight:

'For many people, clicking links and opening attachments is a fundamental part of their job. Even the most skeptical, vigilant professional can fall prey to a carefully crafted message delivered in the right way at the right time. This is precisely why phishing remains so effective - and why technical controls remain the best protection against these kinds of attacks.

'As threats grow more sophisticated, the more important these controls become.'