Dropbox suffers breach as hacker steals from 130 GitHub repositories

2 Nov 2022

Image: © prima91/Stock.adobe.com

The exposed data included ‘a few thousand names and email addresses’ belonging to Dropbox employees, customers, sales leads and vendors.

Dropbox has confirmed it suffered a data breach after a successful phishing attack gave a hacker access to some of its GitHub code repositories.

The data that was exposed included names and email addresses belonging to some Dropbox employees, customers, sales leads and vendors.

Dropbox said the incident occurred after it was targeted by a phishing campaign impersonating CircleCI, which is a code integration platform used by Dropbox staff. A person can use their GitHub credentials to log into CircleCI.

“These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a one-time password to the malicious site,” Dropbox explained in a blogpost yesterday (1 November).

This gave the threat actor access to one of the company’s GitHub organisations, where they were able to copy 130 of its code repositories.

The cloud service provider said it took immediate action when it was notified of the breach and disabled the threat actor’s access to GitHub. Dropbox said it also reviewed its logs to ensure there was no evidence of “successful abuse”.

“To be sure, we hired outside forensic experts to verify our findings, and reported this event to the appropriate regulators and law enforcement,” the company added.

Its investigation has found that the code accessed by the threat actor contained some credentials used by Dropbox developers, primarily API keys. The code and data around it also included “a few thousand” names and email addresses belonging to employees, current and past customers, sales leads and vendors.

“While we believe any risk to them is minimal, we have notified those affected,” the company said.

It added that the hacker did not gain access to anyone’s Dropbox account, password or payment information. The accessed repositories also did not contain any code for its core apps or infrastructure.

To prevent this sort of breach in future, the company said it is accelerating its use of WebAuthn, which it called the current “gold standard” in multi-factor authentication.

“We know it’s impossible for humans to detect every phishing lure,” Dropbox said. “Even the most skeptical, vigilant professional can fall prey to a carefully crafted message delivered in the right way at the right time.

“This is precisely why phishing remains so effective – and why technical controls remain the best protection against these kinds of attacks.”

Phishing attacks have been utilised in several high-profile data breaches in recent months. For example, the Twilio data breach happened after employees were tricked into sharing their login credentials.

The hackers behind the Twilio breach were said to be conducting an “unprecedented” phishing campaign, compromising more than 130 organisations, according to a report by cybersecurity company Group-IB in August.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic