Dropbox GitHub Hack: What Happened?

by James · November 3, 2022

File hosting service Dropbox has disclosed a major security breach that allowed threat actors to hack its GitHub code repositories.

Hackers gained unauthorized access to 130 repositories after a phishing attack gave them access to a Dropbox GitHub account using employee credentials.

Dropbox said it discovered the breach on the 14th^th October when it was alerted by GitHub about suspicious activity that started a day before the alert was sent.

In a blog post, the company said the hackers did not have access to content, passwords or payment information, and the problem was quickly resolved.

Additionally, the company’s core apps and infrastructure were unaffected as Dropbox has strict controls in place to stop access.

“We believe the risk for customers is minimal. Because we take our commitment to security, privacy and transparency seriously, we have notified those affected and are sharing more here,” the post said.

“To date, our investigation has determined that the code accessed by this threat actor contained some credentials—primarily API keys—used by Dropbox developers,” Dropbox continued.

“The code and data surrounding it also included a few thousand names and email addresses belonging to Dropbox employees, current and former customers, prospects, and vendors (for context, Dropbox has more than 700 million registered users).”

A successful phishing attack that targeted several Dropbox employees used emails impersonating CircleCI’s continuous integration and delivery platform. The correspondence redirected employees to a phishing landing page asking them to enter their GitHub username and password.

In addition, the employees were asked to use their hardware authentication key to send a one-time password (OTP), which gave the hackers access to the stores.

Dropbox said: “These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team.”

The same day the company was informed of the suspicious activity, it disabled the access the threat actors were given.

“Our security teams took immediate action to coordinate the rotation of all visible developer credentials and determine what customer data – if any – was accessed or stolen. We have also reviewed our logs and found no evidence of successful abuse.”

The company hired forensic experts from outside the organization to verify the findings and reported the results to the appropriate regulators and law enforcement.

Chris Hauk, Consumer Privacy Advocate at Pixel Privacy commented: “Phishing attempts like this illustrate why these types of attacks continue to be effective. When even IT professionals can fall for phishing attacks, is there any hope in trying to educate the average user about the dangers of phishing emails and messages?

“Unfortunately, the bad actors of the world have become so adept at crafting phishing emails that even computer pros can be fooled. Gone are the days when awkward wording and poor spelling and grammar would reveal a phishing attempt.”

Back in mid-September, GitHub Security announced that a similar hack affected its systems after learning that threat actors were targeting GitHub users by impersonating CircleCI.

Hackers attempted to obtain user credentials and two-factor codes. Although GitHub was not affected, the campaign was said to have affected many victim organizations.

DIGIT Expo 2022 | Join the conversation

DIGIT Expo is Scotland’s largest gathering of senior technology professionals and an unmissable opportunity for knowledge exchange, networking and business opportunity.

The conference will feature a range of world-class technical leaders, innovators and speakers exploring key topics such as AI, DevOps, cyber security, digital leadership, cloud computing, Web3 and data innovation.

Find out more at: www.digit-expo.com