News, 02.11.2022, 08:30 AM
Dropbox has revealed that he was the victim of a phishing attack that allowed unidentified attackers to gain access to 130 of his code repositories on GitHub. The company claims that the attackers did not access anyone’s content, passwords or payment information, noting that the issue was quickly resolved.
“These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team,” the company revealed.
The attackers also accessed some API keys used by Dropbox developers, as well as “thousands of names and email addresses belonging to Dropbox employees, current and former customers, potential customers and vendors.”
However, the company emphasized that its main applications and infrastructure were not affected by these attacks “because access to this code is even more limited and strictly controlled”, and that it believes the risk to customers is minimal.
Dropbox, which offers cloud storage services, has over 17.37 million paying users and 700 million registered users.
More than a month ago, GitHub and the CircleCI platform warned of phishing attacks that steal GitHub credentials through fake notifications that claim to be from the CI/CD platform. Dropbox said that in early October, “multiple Dropboxers received phishing emails impersonating CircleCI,” some of which made it through their automated spam filters.
“These legitimate-looking emails direct employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to forward a one-time password (OTP) to the malicious site,” Dropbox explained.
The company did not disclose how many of its employees were scammed, but said it took immediate action to replace any exposed developer credentials and notified the appropriate authorities. Dropbox also said it found no evidence that customer data was stolen, adding that it is upgrading its two-factor authentication systems to support hardware security keys.
“People are inundated with messages and notifications, which makes it difficult to detect phishing scams. Even cautious professionals can fall victim to a carefully crafted message delivered in the right way at the right time,” the company concluded. “This is precisely why phishing remains so effective.”