In a recent blog posted by the Dropbox security team on its official website, the company revealed that they were breached on October 13, 2022.
Threat actors used employee login information they had obtained through phishing to log into one of Dropbox’s GitHub accounts, where they stole 130 code projects. When GitHub alerted the organisation to suspicious behaviour that began the day before the notice was given, on October 14, the company learned that the account had been compromised by the attackers.
In early October, phishing emails pretending to be from CircleCI were sent to many Dropbox employees with the intention of stealing GitHub credentials (a person can use their GitHub credentials to log in to CircleCI). Some of these emails were automatically quarantined by the systems, while others ended up in Dropboxers’ inboxes. Through a fake CircleCI login page, employees were instructed to enter their GitHub username and password before using their hardware authentication key to send a One Time Password (OTP) to the malicious website. The threat actor eventually gained access to one of the GitHub groups using this, and they then copied 130 source repositories.
The recent blog posted by them also gives insights into how they handled the breach and what their next step is. “Our security teams work tirelessly to keep Dropbox worthy of our customer’s trust. While the information accessed by this threat actor was limited, we hold ourselves to a higher standard. We’re sorry we fell short, and apologize for any inconvenience. One way we hope to prevent a similar incident from occurring is by accelerating our adoption of WebAuthn,” said the blog.
