Cloud storage provider Dropbox Inc. has disclosed the details of a recent phishing attack that resulted in unauthorized access to 130 of its GitHub software code repositories.
While noting that no content, passwords, or payment information were compromised in the attack, Dropbox said Tuesday that it was providing the details of the attack as part of its commitment to security, privacy and transparency.
The attack, which followed GitHub detailing a phishing campaign in September, was first detected on Oct. 14 when GitHub alerted Dropbox to suspicious behavior that had begun on the previous day. Upon investigation, Dropbox found that a threat actor pretending to be Circle Internet Services Inc. had accessed one of its GitHub accounts.
The code accessed did contain some credentials — primarily application programming interface keys used by Dropbox developers, along with a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads and vendors. The company noted that it has more than 700 million registered users.
An investigation found that in early October, multiple Dropbox employees received phishing emails impersonating CircleCI, which Dropbox uses for internal deployments. Although Dropbox’s internal systems automatically quarantined some of these emails, others managed to get through. The emails directed employees to a fake CircleCI login page where they were asked to enter their GitHub username and password and then use their hardware authentication key to create a onetime password for the malicious site.
Given that Dropbox is only now disclosing the data breach, not surprisingly some of the Dropbox employees fell for the phishing scam, giving the threat actor access to the GitHub account where they proceeded to copy 130 code repositories. The repositories included copies of third-party libraries slightly modified by use for Dropbox, internal prototypes and some tools and configuration files — used by Dropbox’s security team.
The company responded to the attack with internal reviews and by hiring outside forensic experts to verify changes. The attack was also reported to regulators and law enforcement. Moving forward, Dropbox plans to switch authentication to the WebAuthn login standard, arguing that it’s more secure and less vulnerable to phishing.
“I’d like to first applaud Dropbox about the transparency and swiftness they showed in terms of disclosing details about their breach in a timely manner,” Jeff Williams, co-founder and chief technology officer at application security software company Contrast Security Inc., told SiliconANGLE. “This is the type of transparency that I’m encouraged to see more of and hope that other organizations mirror these efforts for future incidents. By sharing the details about this breach, other organizations can view this as a reminder to stay on top of their own security awareness programs that can help their employees identify sophisticated phishing attacks.”
Dr. Eric Cole, advisory board member at quantum-proof encryption company Theon Technology, noted that the breach was a “lesson in the weaknesses of using multifactor authentication and the dangers that users can still be socially engineered to provide this information to an attacker. In this case, these were technical people within the organization that would understand the general dangers of social engineering, yet the attack was so good, they were lured into not only entering their passwords but entering the one-time value that was provided to them.”
Cole said the attack did have a red flag, in that why the attacker targeted Dropbox’s GitHub account in particular. “Dropbox is making this sound like it was just a casual attack and no real damage happened, but very rarely is that true,” Cole added. “Either the attacker did indeed compromise sensitive data and it was not discovered yet or information was taken that can be used for extortion or ransom payments.”