Skip links

Dropbox admits 130 of its private GitHub repos were copied after phishing attack

Dropbox has said it was successfully phished, resulting in someone copying 130 of its private GitHub code repositories and swiping some of its secret API credentials.

The cloud storage locker on Tuesday detailed the intrusion, and stated “no one’s content, passwords, or payment information was accessed, and the issue was quickly resolved.”

“We believe the risk to customers is minimal,” the biz added.

The security snafu came to light on October 13 when Microsoft’s GitHub detected suspicious behavior on Dropbox’s corporate account. GitHub let Dropbox know the next day, and the cloud storage outfit investigated. Dropbox determined it had fallen victim to a phisher who had impersonated the code integration and delivery platform CircleCI.

Dropbox is a CircleCI user “for select internal deployment.” Dropbox employees use their GitHub accounts to access Dropbox’s private code repos, and their GitHub login details also get them into CircleCI. You know where this is going: get a Dropbox engineer’s GitHub login details by pretending to be CircleCI, and then use that information to get into the Dropbox GitHub organization, and rifle through the private repos.

Interestingly, just three weeks before the attack, GitHub warned of phishing campaigns that involved impersonation of CircleCI. Dropbox appears not to have got the memo, because in early October its staff were sent and one or more bods fell for emails that masqueraded as legit CircleCI messages.

“These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site,” Dropbox’s explanation states. That site would harvest the entered login details so that miscreants could use the info and log into a victim’s GitHub account, and get into the work repos.

This tactic “eventually succeeded, giving the threat actor access to one of our GitHub organizations where they proceeded to copy 130 of our code repositories.”

Dropbox doesn’t appear unduly worried by the incident because the repos “included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team.”

No code for core apps or infrastructure was accessed, apparently.

Dropbox also said the intruder’s access to the GitHub repo silo was revoked on October 14, and that the cloud storage biz has since rotated all developer API credentials that the intruder had access to. The company also hired external investigators to review its findings and all have concluded no abuse of the copied code has been detected.

The company’s write-up said it was already working to combat this sort of incident by upgrading its two-factor authentication systems to WebAuthn multi-factor authentication and will soon use hardware tokens or biometric factors across its entire environment. That effort has been accelerated in the wake of the attack.

Dropbox apologized for the brouhaha and promised to do better, though signed off by stating the biz’s security team believes it is inevitable some phishing attacks will succeed, even with the best technical controls in place. ®