Phishing at Dropbox: is your data still safe?

Dropbox admitted on Tuesday that it was the target of a phishing campaign that resulted in the leak of 130 of its GitHub repositories.

Online storage service Dropbox has admitted to being the victim of a phishing campaign that went beyond simply collecting usernames and passwords. It has indeed allowed hackers to seize multi-factor authentication codes. They were able to steal 130 of the GitHub repositories from Dropbox, a platform with 700 million users (including 17.5 million paying users). What happened, and what did the hackers actually have access to?

Classic phishing

On October 14, Dropbox was alerted by GitHub about suspicious behavior identified the previous day. After further investigation, the storage service discovered that a malicious actor had also accessed one of its GitHub accounts. This actor had actually targeted Dropbox employees, using email addresses impersonating the American integration and code delivery platform CircleCI.

Dropbox uses GitHub to host its public repositories and some private repositories. These Git repositories, which serve as a virtual warehouse for a project, allow versions of the associated code to be saved and accessed if needed. Dropbox also uses CircleCI for some internal deployments.

In early October, several Dropbox users received phishing emails impersonating CircleCI to target Dropbox GitHub accounts. And while the company’s internal systems made it possible to quarantine some of these emails, others unfortunately ended up in the boxes of platform users.

Access to non-sensitive data of Dropbox employees, customers spared

In these emails, the disguised hackers instructed employees (exactly how many were tricked) to go to a fake CircleCI login page. They had to enter their GitHub credentials there and use their unique authentication key that the hacker retrieved. Through this little phishing scheme, hackers gained access to 130 GitHub code repositories. What did they contain?

The GitHub repositories contained copies of third-party libraries, internal prototypes, and various configuration files used by the security team. Dropbox also mentions API keys used by its developers, among the elements to which malicious individuals have had access. Several thousand names and email addresses related to current and former Dropbox employees, customers and customers are included in the leak.

Very quickly, the storage service was able to react by quickly dismissing the presence of code linked to its applications or its basic infrastructure. Moreover, the cybercriminals also did not have access to more sensitive elements such as accounts, passwords and payment data of its customers.

” We are sorry to have failed and we apologize for any inconvenience said Dropbox, explaining that certain types of authentication are more vulnerable than others. ” Prior to this incident, we were already in the process of adopting this more phishing-resistant form of multi-factor authentication. Soon our entire environment will be secured by WebAuthn with hardware tokens or biometric factors “, adds the company. WebAuthn became the official web standard for passwordless logins in March 2019. It allows the creation and use of origin-level public key credentials to authenticate users. It remains compatible with NFC, FIDO2, U2F authenticators and those that allow authentication via fingerprint or screen lock.

Source : Dropbox