Dropbox, the cloud storage provider, has announced (opens in new tab) it has been the target of a phishing attack that successfully accessed its private GitHub repos. GitHub was able to quickly notify Dropbox of the attack, and no customer data or passwords were affected.
The data breach took place on October 13, with Dropbox becoming aware that things were amiss the next day. The attackers impersonated the CircleCI integration and delivery platform that can be logged into using GitHub credentials, bombarding Dropbox staff with realistic-looking phishing emails. Many of them were blocked by Dropbox’s internal systems, but some got through - enough, it seems, for at least one employee to visit a fake CircleCI login page, enter their GitHub credentials, and use a hardware authentication key to pass a one-time password to the malicious site.
This allowed the attacker into Dropbox’s private Github area, from where they copied 130 code repositories. Data accessed includes, according to Dropbox’s statement: “...some credentials—primarily, API keys—used by Dropbox developers. [It] also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors.” Then later: “These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team. Importantly, they did not include code for our core apps or infrastructure. Access to those repositories is even more limited and strictly controlled.”
Back in September, GitHub warned its users (opens in new tab) in a blog post about attacks targeted at CircleCI, noting that “If the threat actor successfully steals GitHub user account credentials, they may quickly create GitHub personal access tokens (PATs), authorize OAuth applications, or add SSH keys to the account in order to preserve access in the event that the user changes their password.”
Dropbox was able to cut off the attackers’ access on the same day it found out about the intrusion, and believes the risk to customers is minimal. The company is also upgrading its multi-factor authentication method to WebAuthn—a change already in progress when the attack happened.