Dropbox has publicly disclosed how a phishing campaign hijacked one of its GitHub accounts and compromised code and data by impersonating the code integration and delivery platform CircleCI.
A few employees, customers, sales leads, and vendors were accessed, including API keys used by Dropbox’s developers.
CircleCI had previously been impersonated in a similar phishing campaign by threat actors.
Dropbox said the issue was quickly resolved. No content, passwords, or payment info was accessed. Since we have even more restricted access, we didn’t lose access to our core apps or infrastructure.
“We don’t think customers are at risk.” This threat actor accessed no Dropbox account, password, or payment information.”
In a statement, the firm said: “We’re committed to protecting our customers, partners, and employees’ privacy, and though we think any risk to them is minimal, we notified them.”
The breach was discovered in mid-October when Dropboxers received emails that seemed to come from CircleCI, which Dropbox uses for “selected internal deployments.” Others made it through Dropbox’s cyber dragnet, even though some of these emails were intercepted and quarantined.
To get a one-time password, recipients had to go to a fake CircleCI login page, enter their GitHub username and password, and use their hardware authentication key. From there, the threat actor was able to copy 130 code repositories.
Dropbox got notified by GitHub on 14 October, and the threat actor was kicked out that same day. After that, Dropbox’s security team rotated exposed credentials and found out what data was accessed.
The company’s investigation and monitoring, backed by a third-party cyber forensics team, have not found evidence of successful abuse.
There’s no way humans can detect every phishing lure, said the firm. It’s a fundamental part of their job to click links and open attachments. A carefully crafted message delivered at the right time and place can fool even the most skeptical, vigilant professional. Phishing is so effective because of this – and technical controls are the best protection against them. The more sophisticated threats get, the more critical these controls are.
Keeping Dropbox trustworthy is our team’s top priority. We hold ourselves to a higher standard, even though this threat actor had limited access. We’re sorry we fell short and apologize if you were inconvenienced.”
Dropbox is now adopting WebAuthn for credential management due to the cyber attack, which it described as the “gold standard” of multi-factor authentication (MFA). After the attack, it adopted WebAuthn MFA, and customers can use it.
The popularity of phishing keeps growing among hackers as other security measures improve while it remains effective and cheap,” said Outpost24’s Martin Jartelius.
“There are a few ways to circumvent those threats, such as using password managers integrated into browsers, so they won’t submit passwords in phishing attempts if they don’t have a matching domain.” In the same vein, YubiKeys can be used to validate the site identity for the second factor.”
Jartelius said: “We can note here that while the user affected had to access most developers’ repositories, it didn’t include the core product repositories. Less great is that personal data for staff and partners were stored in git repositories. I hope this only pertains to developer contact information, but the information released isn’t exactly clear.”
Cybereason’s Sam Curry says that Dropbox’s ultimate role as a “super-aggregator of data” makes it an attractive and potentially highly lucrative target for hackers, so it should make itself harder to hack.
To avoid being a victim, they need to do much better security than an average company of their size and revenue.
From the outside looking in, it looks like Dropbox knows its weaknesses and is accelerating plans to improve identity security and authentication.
Keep going, look for single points of failure, be transparent post-incident, update risk assessments, learn lessons, and always keep customers and partners in mind. You’ll go down in history as a hero or a villain, never as a victim, so be a hero.”
