Dropbox discloses vulnerability after hacker stole 130 GitHub repositories
Dropbox reported a security breach after attackers stole 130 code repositories following access to one of its GitHub accounts using employee credentials stolen in a phishing attack.
The company discovered that the attackers compromised the account on October 14, when GitHub notified it of suspicious activity that had begun a day before the alert was sent.
“To date, our investigation has shown that the code accessed by this attacker contained some credentials — primarily API keys — used by Dropbox developers,” Dropbox said on Tuesday.
“The code and related data also included several thousand names and email addresses belonging to Dropbox employees, current and former customers, sales executives, and vendors (for context, Dropbox has more than 700 million registered users).”
The breach was made possible through a phishing attack targeting several Dropbox employees, who received emails impersonating the continuous integration and delivery platform CircleCI and were redirected to a phishing landing page where they were asked to enter their GitHub username and password.
On the same phishing page, employees were also asked to “use their hardware authentication key to generate a one-time password (OTP).”
130 code repositories were stolen during the breach
After stealing Dropboxers’ credentials, attackers gained access to one of Dropbox’s GitHub organizations and stole 130 code repositories.
“These repositories included our own copies of third-party libraries slightly modified for use at Dropbox, internal prototypes, and some tools and configuration files used by the security team,” the company added.
“Importantly, they did not include code for our core applications or infrastructure. Access to those repositories is even more restricted and tightly controlled.”
Dropbox added that attackers never gained access to customer accounts, passwords, or payment information, and its core applications and infrastructure were not affected by the breach.
In response to the incident, Dropbox is working to secure its entire environment using WebAuthn and hardware tokens or biometric factors.
In September, other GitHub users were also targeted by a similar attack impersonating the CircleCI platform and asking them to log into their GitHub accounts to accept user terms and privacy policy updates in order to continue using the service.
“Although GitHub itself was not compromised, the campaign affected many victim organizations,” GitHub said.
GitHub stated that it detected exfiltration of content from private repositories almost immediately after the compromise, with attackers using VPNs or proxy services to make tracking more difficult.