On Wednesday, Dropbox disclosed a breach of one of its GitHub accounts that allowed threat actor(s) to access over a hundred repositories. Dropbox said its employees were targeted in a phishing campaign similar to the one that impersonated CircleCI that GitHub uncovered in September.
A Dropbox employee recently fell prey to a phishing campaign that involved threat actor(s) impersonating CircleCI to compromise employee credentials. This led to the compromise of a GitHub account belonging to Dropbox on October 13.
Dropbox said most of the “legitimate-looking†phishing emails were blocked though some slipped past its safeguards. Links in the email redirected targets to a fake CircleCI page where they were asked to enter credentials. The hackers also leveraged the hardware authentication key to pass a One Time Password (OTP) to the malicious site.
The cloud storage, backup and document-signing company confirmed that some of the code accessed by the attackers contained some API keys used by Dropbox developers to access private company repositories.
Jeff Williams, co-founder and CTO at Contrast Security, told Spiceworks, “While the attackers didn’t directly attack the organization’s APIs, they used a phishing attack to get access to a source code repo that contained some code that invoked APIs with keys. From there, the bad actors stole those keys for those APIs.â€
The total impact, Dropbox disclosed, was limited to 130 code repositories that the threat actor could copy. “You might argue that Dropbox should not have had keys in their repos in the first place– those should be stored as secrets in secure storage,†Williams added.
See More: Confusion Over Twitter’s Blue Tick Verification Badges Gives Rise to Phishing Scams
The bad news is that Dropbox, which as of Q2 2022Opens a new window , had 700 million registered users and 17.37 million paying users (the company’s Q3 2022 results are expected to be released later today), confirmed that the 130 copied repositories did not include code for its core apps or infrastructure.
The bad news is that the compromised repositories contained Dropbox’s copies of modified third-party libraries, internal prototypes, and some tools and configuration files. The API-laden code from the developer account also had “a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors.â€
The Dropbox breach coincides with the Cybersecurity and Infrastructure Security Agency (CISA) publishing twoOpens a new window fact sheetsOpens a new window and guidance urging organizations to implement phishing-resistant multi-factor authentication (MFA). CISA also encouraged the adoption of a Zero Trust policy to access.
Williams continued, “I’d like to first applaud Dropbox for the transparency and swiftness they showed in terms of disclosing details about their breach in a timely manner. This is the type of transparency that I’m encouraged to see more of and hope that other organizations mirror these efforts for future incidents.â€
“By sharing the details about this breach, other organizations can view this as a reminder to stay on top of their own security awareness programs that can help their employees identify sophisticated phishing attacks.â€
For additional details on phishing attacks that impersonate CircleCI, refer to GitHub’s advisory hereOpens a new window .
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!
Image source: Shutterstock
MORE ON PHISHING AND DATA BREACHES
- Microsoft Destroys Russian Cyberespionage Group That Impersonated It in Email-based Phishing Campaigns
- Phishing Emails Masquerading as HR Or IT Notifications Get the Most Clicks: KnowBe4
- Toyota Suffers Data Breach from “Mistakenly†Exposed Access Key on GitHub
- Ex-Uber CSO Joe Sullivan Convicted for Concealing 2016 Data Breach