Nov 02, 2022 12:05:00

Dropbox announces damage stolen from 130 GitHub repositories

Dropbox, a cloud storage service, has announced that part of the code stored in GitHub has been stolen by

phishing . According to Dropbox, no user personal information was exposed as a result of this data breach, and the leaked code does not affect Dropbox's core apps and infrastructure.

How we handled a recent phishing incident that targeted Dropbox - Dropbox
https://dropbox.tech/security/a-recent-phishing-campaign-targeting-dropbox

Dropbox apparently breached after hacker stole 130 GitHub repositories
https://www.bleepingcomputer.com/news/security/dropbox-discloses-breach-after-hacker-stole-130-github-repositories/

In September 2022, GitHub issued a warning about phishing attacks targeting users. In this attack, the attackers reportedly impersonated CircleCI, a code integration and distribution platform, and attempted to access GitHub accounts.

On October 14, 2022, GitHub warned Dropbox of suspicious behavior. When Dropbox investigated this suspicious behavior, it turned out that an attacker pretending to be CircleCI, like the phishing attack mentioned above, accessed a GitHub account owned by Dropbox.

As a result of the investigation, it turned out that this attacker did not access Dropbox user's stored data, passwords, payment information. The attackers had access to credentials used by Dropbox developers (mainly API keys), including code, Dropbox employee information, customer lists, sales leads , and vendor personal information. that's right. 'Though we believe the risk is minimal, we have notified those affected,' Dropbox said.

Dropbox uses GitHub to host public and private repositories, and CircleCI for some internal deployments. In early October 2022, multiple Dropbox users received phishing emails impersonating CircleCI. This phishing email aimed to gain unauthorized access to a Dropbox GitHub account and was sent to accounts that could log into CircleCI using their GitHub credentials.

Dropbox's system automatically quarantined some of these emails, but the rest arrived in Dropbox employees' inboxes. These emails contain a URL to the ``fake CircleCI login page'', from which it seems that the user name and password of the GitHub account and the one-time password using the hardware authentication key were stolen. As a result, the attacker was able to access 130 GitHub repositories operated by Dropbox.

The GitHub repository made accessible to the attacker contained proprietary copies of third-party libraries, a prototype app being developed internally, and several team configuration files used by the security team. Dropbox wrote, 'Importantly, no core apps or infrastructure-related code was included. Access to these repositories is further restricted and strictly controlled.'

After receiving notification of suspicious behavior from GitHub, Dropbox immediately blocked the attacker's access to GitHub. Dropbox's security team coordinated the rotation of all exposed developer credentials and took immediate action to identify any customer data that was accessed or stolen. Dropbox wrote, 'We have checked the logs, but we have not found any evidence that the unauthorized access data has been misused.'

Dropbox says it will accelerate the WebAuthn adoption process to prevent similar incidents in the future.