130 Dropbox code repos plundered after successful phishing attack

Dropbox has suffered a data breach, but users needn’t worry because the attackers did not gain access to anyone’s Dropbox account, password, or payment information. Instead, they grabbed code from 130 of the company’s private repositories hosted on GitHub.

Dropbox data breach

What was compromised?

The compromised repositories contain “copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team” – but not code for Dropbox core apps or infrastructure.

The attackers also found:

  • API keys used by Dropbox developers
  • A few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors

“Our security teams took immediate action to coordinate the rotation of all exposed developer credentials, and determine what customer data—if any—was accessed or stolen. We also reviewed our logs, and found no evidence of successful abuse. To be sure, we hired outside forensic experts to verify our findings, and reported this event to the appropriate regulators and law enforcement,” the company stated.

How did the attackers manage to get access?

The attackers got in by impersonating CircleCI, a company that develops a continuous integration and continuous delivery (CI/CD) platform used by Dropbox developers.

As Dropboxers use their GitHub credentials to login to CircleCI, compromising those credentials means compromising GitHub accounts.

“While our systems automatically quarantined some of these emails, others landed in Dropboxers’ inboxes,” the company explained.

“These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site.”

One of these attempts succeeded, and the attackers gained access to one of Dropbox’s GitHub organizations (and 130 private code repositories).

What’s next for Dropbox after this data breach?

GitHub was the first to notice suspicious behavior related to Dropbox’s GitHub accounts and repositories on October 13. A day later, they notified the company.

The Dropbox security team did not say whether the credentials were compromised in the CircleCI-branded phishing campaign spotted by GitHub on September 16, or a later one.

Still, this incident spurred them to accelerate their efforts to adopt WebAuthn.

“Even the most skeptical, vigilant professional can fall prey to a carefully crafted message delivered in the right way at the right time. This is precisely why phishing remains so effective—and why technical controls remain the best protection against these kinds of attacks,” the team acknowledged.

“Prior to this incident, we were already in the process of adopting this more phishing-resistant form of multi-factor authentication. Soon, our whole environment will be secured by WebAuthn with hardware tokens or biometric factors.”

Earlier this year, Twilio and Cloudflare and many other organizations were targeted with phishing messages impersonating identity and access management company Okta, and Cloudflare came out of it unscathed because its employees use physical security keys to provide the second authentication factor.

Don't miss