Hackers Attacked Dropbox and Gained Access to 130 Repositories on GitHub

Dropbox reported that in mid-September, its employees were attacked by hackers that penetrated into their GitHub accounts.

Using phishing, the attackers managed to gain access to one of the company’s GitHub organizations, and then stole data from 130 repositories.

You might also want to know About 1,900 Signal Accounts May Be Compromised Due to the Twilio Hack.

The incident occurred on October 14, 2022, and was associated with a large-scale phishing campaign, which GitHub representatives had previously warned about. Let me remind you that as part of this scheme, scammers sent letters with fake notifications on behalf of the Circle CI service, which is used for continuous development and deployment.

Hackers attacked Dropbox
Example of a phishing message

These emails, for example, notified recipients of changes in the privacy policy and terms of use, ostensibly requiring people to sign in to their GitHub account and accept the changes. As you might guess, the goal of the attackers was collection of credentials from GitHub and two-factor authentication with one-time passwords (OTP), which were transmitted to the attackers through reverse proxies.

Dropbox reports that one of the employees of the company fell for the trick from such an email that looked exactly like the real thing. As a result, the attackers gained access to one of the company’s GitHub accounts.

The attacker did not have access to anyone’s Dropbox account content, passwords, or payment information. To date, our investigation has shown that the code accessed by the attacker contained only some of the credentials (mostly API keys) used by the Dropbox developers. The code and associated data also included several thousand names and email addresses belonging to Dropbox employees, current, past, and potential customers (Dropbox has over 700 million registered users). We take the privacy of our customers, partners, and employees seriously, and while we believe the risk to them is minimal, we have already notified all those affected.Dropbox said.

Company representatives write that having gained access to one of the company’s GitHub accounts, the attackers managed to infiltrate one of the Dropbox GitHub organizations, from where they eventually copied 130 repositories.

These repositories contained “copies of third-party libraries slightly modified for Dropbox use, internal prototypes, a number of tools, and configuration files used by the security team.” It is emphasized that the repositories did not contain the code of the main applications or infrastructure, and access to such repositories is limited and strictly controlled.

Immediately after the detection of suspicious activity, attackers’ access to GitHub was disabled. Dropbox security experts updated all compromised developer credentials and determined which customer data was exposed or stolen. The company is currently working on a WebAuthn rollout that was in progress prior to the incident and will now be accelerated.

About the author

Carina Wilson

With over 10 years' experience of writing for online and print media, I'm an expert in delivering clear and compelling copy.

I've written for a leading SEO copywriting agency as well as writing for some of the UK’s best known brands, magazines and newspapers.

Leave a Comment