Popular file hosting and storage provider Dropbox has disclosed that a phishing campaign led to unauthorized access to its source code repositories on GitHub. According to reports, the company fell victim after an unidentified threat actor accessed internal files, including the prototypes, third-party libraries, among several others.
In an advisory, Dropbox shared the incident with its customers and ensured that the problem had been fixed and the unauthorized access had been ceased. The company’s data, including tools, documents, and libraries, were the main contents of the repository.
Dropbox has assured that its clients and service users will be protected from the breach because the repository doesn’t have any source code for its infrastructure or apps. The company also claimed that the unknown threat actor accessed some API keys during the breach. The keys included the names, email addresses, clients, sales, vendor deals, and other private data about Dropbox employees.
Dropbox breach explained
The information was revealed more than a month after GitHub and CircleCI issued warnings about phishing attempts to acquire GitHub credentials via notifications from the fake CI/CD platform. Early in October, the San Francisco-based company reported that “several Dropboxers received phishing emails impersonating CircleCI,” some of which managed to get past its automated spam filters and end up in recipients’ inboxes.
According to Dropbox, the emails appeared to be from a reputable source, and thus they were able to infiltrate the inboxes. The email content included instructions for employees to visit a phishing website miming the CircleCI login page. After that, the user was instructed to log in using their GitHub username and password so the threat actor could authenticate the login process by sending a one-time password (OTP). However, it still needs to be clarified how the phishing scam compromised such a large number of employee accounts.