[German]The online storage provider Dropbox has announced a security incident. It is about the fact that unauthorized third parties probably gained access to Dropbox's GitHub repositories via phishing. The incident occurred back on October 14, 2022 and Dropbox was informed by GitHub that they had detected suspicious activity.
DropBox uses GitHub in development to host public as well as some private repositories. Developers also use CircleCI for select internal deployments. The notice states that in early October 2022, several Dropbox employees received phishing emails impersonating CircleCI. The goal of the phishing emails was to gain access to Dropbox GitHub accounts (a person can use their GitHub credentials to log into CircleCI).
Dropbox systems quarantined some of these emails, but some reached Dropbox employees' inboxes. These legitimate-looking phishing emails asked employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to submit a one-time password (OTP) to the malicious website. Bleeping Computer colleagues have published one such mail as an example here. This eventually succeeded and the attacker gained access to one of the Dropbox GitHub organizations, where he copied 130 Dropbox code repositories.
These repositories contained Dropbox-modified copies of third-party libraries intended for use by Dropbox. They also contained internal prototypes and some tools and configuration files used by the security team. On October 14, 2022, Dropbox was notified by GitHub that they had discovered suspicious activity.
Immediately, the threat actor's access to GitHub was disabled. Dropbox security teams took immediate action to coordinate the renewal of all exposed developer credentials and determine what, if any, customer data was accessed or stolen. In doing so, they also reviewed Dropbox logs but found no evidence of successful misuse.
To be sure, the DropBox folks hired outside forensic experts to verify the internal findings and results, and reported this incident to the appropriate regulatory and law enforcement agencies. Dropbox writes that the attackers did not include code for core applications or Dropbox infrastructure. Access to those repositories was even more restricted and tightly controlled, it said.
No Dropbox customer content, passwords or payment information was accessed either, it says. Officials believe the risk to Dropbox customers related to this incident is minimal.
Cookies helps to fund this blog: Cookie settings