dropbox-breach:-hackers-unauthorizedly-accessed-130-github-source-code-repositories

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Dropbox Breach: Hackers Unauthorizedly Accessed 130 GitHub Source Code Repositories

File hosting service Dropbox on Tuesday disclosed that it was the victim of a phishing campaign that allowed unidentified threat actors to gain unauthorized access to 130 of its source code repositories on GitHub.

“These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team,” the company revealed in an advisory.

The breach resulted in the access of some API keys used by Dropbox developers as well as “a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors.”

It, however, stressed that the repositories did not contain source code related to its core apps or infrastructure.

Dropbox, which offers cloud storage, data backup, and document signing services, among others, has over 17.37 million paying users and 700 million registered users as of August 2022.

The disclosure comes more than a month after both GitHub and CircleCI warned of phishing attacks designed to steal GitHub credentials through fake notifications purporting to be from the CI/CD platform.

The San Francisco-based firm noted that “multiple Dropboxers received phishing emails impersonating CircleCI” in early October, some of which slipped through its automated spam filters to land in employees’ email inboxes.

“These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site,” Dropbox explained.

The company did not reveal how many of its employees fell for the phishing attack, but said it took prompt action to rotate all exposed developer credentials and that it alerted law enforcement authorities.

It also said it found no evidence that any customer data was stolen as a result of the incident, adding it’s upgrading its two-factor authentication systems to support hardware security keys for phishing resistance.

“Even the most skeptical, vigilant professional can fall prey to a carefully crafted message delivered in the right way at the right time,” the company concluded. “This is precisely why phishing remains so effective.”

The Dropbox notification also comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published guidance to implement phishing-resistant multi-factor authentication (MFA) to safeguard against phishing and other known cyber threats.

“If an organization using mobile push-notification-based MFA is unable to implement phishing-resistant MFA, CISA recommends using number matching to mitigate MFA fatigue,” the agency said.


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

How to Craft Rich Data-Driven Infographics with Powered Template

How to Craft Rich Data-Driven Infographics with Powered Template

We’re living in a data-driven world, and this means that it’s imperative to share information in the most engaging and…
Meta Fined €265 million in Facebook Data Scraping Case in the EU

Meta Fined €265 million in Facebook Data Scraping Case in the EU

Ireland’s Data Protection Commissioner (DPC) has placed yet another fine of €265 million ($277 million) on Meta following Facebook’s data…
Critical Flaw Exploited to Bypass Fortinet Products and Compromise Orgs

Critical Flaw Exploited to Bypass Fortinet Products and Compromise Orgs

While performing routine monitoring, Cyble’s Global Sensor Intelligence (GIS) discovered a threat actor is distributing unauthorized access to several Fortinet…