Hackers Stole 130 Source Code GitHub Repos In Dropbox Data Breach
Yesterday, the cloud storage provider Dropbox disclosed a recent phishing attack targeting the company’s employees that resulted in unauthorized access to 130 of its GitHub repositories. Fortunately, the incident didn’t escalate to a breach affecting any users’ Dropbox content, passwords, or payment information. However, according to Dropbox, the stolen data did include “a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors.” The company has notified all those affected by this data breach.
The code repositories accessed by the threat actor contained development credentials, including API keys, but Dropbox has since rotated all exposed credentials so as to prevent any further unauthorized access using the stolen keys. This mitigation step seems to have been effective, as a review of the company’s logs didn’t find any indicators that the stolen keys were successfully abused.
Besides development credentials, the affected GitHub repositories were home to Dropbox’s modified copies of third-party libraries, internal prototypes, and some of the security team’s tools and configuration files. According to Dropbox, the threat actor was not able to steal the source code for any of the company’s core apps or infrastructure, as “[a]ccess to those repositories is even more limited and strictly controlled.”
The code repositories accessed by the threat actor contained development credentials, including API keys, but Dropbox has since rotated all exposed credentials so as to prevent any further unauthorized access using the stolen keys. This mitigation step seems to have been effective, as a review of the company’s logs didn’t find any indicators that the stolen keys were successfully abused.
Besides development credentials, the affected GitHub repositories were home to Dropbox’s modified copies of third-party libraries, internal prototypes, and some of the security team’s tools and configuration files. According to Dropbox, the threat actor was not able to steal the source code for any of the company’s core apps or infrastructure, as “[a]ccess to those repositories is even more limited and strictly controlled.”
The threat actor behind this data breach was able to gain access to a Dropbox employee’s GitHub account by impersonating the continuous integration and delivery platform CircleCI. CircleCI can integrate with GitHub, enabling users to login to CircleCI using their GitHub login credentials. The threat actor took advantage of this integration by sending out what appeared to be legitimate emails from CircleCI directing Dropbox employees to sign in to CircleCI with their GitHub credentials.
The link contained in these phishing emails sent employees to a fake CircleCI login page that asked for employees’ GitHub usernames, passwords, and one time passwords (OTP). Evidently at least one employee was duped by this phishing attempt and handed over the requested login credentials, resulting in the subsequent data breach.
Similar phishing attacks recently struck both Twilio and Cloudflare. However, the attack on Cloudflare failed because Cloudflare’s employees use hardware security keys with biometric authentication and origin binding, rather than time-based one-time passwords (TOTP), for multi-factor authentication (MFA). Origin binding locks authentication to the original login site, preventing fake phishing pages from receiving authentication codes. While Dropbox also uses hardware security keys, the company hasn’t yet completed its transition away from OTP to WebAuthn, an authentication protocol that employs origin binding. Dropbox hopes to prevent data breaches similar to this one in the future by completing its adoption of WebAuthn.
The link contained in these phishing emails sent employees to a fake CircleCI login page that asked for employees’ GitHub usernames, passwords, and one time passwords (OTP). Evidently at least one employee was duped by this phishing attempt and handed over the requested login credentials, resulting in the subsequent data breach.
Similar phishing attacks recently struck both Twilio and Cloudflare. However, the attack on Cloudflare failed because Cloudflare’s employees use hardware security keys with biometric authentication and origin binding, rather than time-based one-time passwords (TOTP), for multi-factor authentication (MFA). Origin binding locks authentication to the original login site, preventing fake phishing pages from receiving authentication codes. While Dropbox also uses hardware security keys, the company hasn’t yet completed its transition away from OTP to WebAuthn, an authentication protocol that employs origin binding. Dropbox hopes to prevent data breaches similar to this one in the future by completing its adoption of WebAuthn.
