How we handled a recent phishing incident that targeted Dropbox

Gandalf_The_Grey · Nov 1, 2022

We were recently the target of a phishing campaign that successfully accessed some of the code we store in GitHub. No one’s content, passwords, or payment information was accessed, and the issue was quickly resolved. Our core apps and infrastructure were also unaffected, as access to this code is even more limited and strictly controlled. We believe the risk to customers is minimal. Because we take our commitment to security, privacy, and transparency seriously, we have notified those affected and are sharing more here.

~ ~ ~

In today's evolving threat landscape, people are inundated with messages and notifications, making phishing lures hard to detect. Threat actors have moved beyond simply harvesting usernames and passwords, to harvesting multi-factor authentication codes as well. In September, GitHub detailed one such phishing campaign, in which a threat actor accessed GitHub accounts by impersonating the code integration and delivery platform CircleCI.

We recently learned that Dropbox was targeted by a similar campaign. On October 14, 2022, GitHub alerted us to some suspicious behavior that began the previous day. Upon further investigation, we found that a threat actor—also pretending to be CircleCI—accessed one of our GitHub accounts, too.

At no point did this threat actor have access to the contents of anyone’s Dropbox account, their password, or their payment information. To date, our investigation has found that the code accessed by this threat actor contained some credentials—primarily, API keys—used by Dropbox developers. The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors (for context, Dropbox has more than 700 million registered users). We take our commitment to protecting the privacy of our customers, partners, and employees seriously, and while we believe any risk to them is minimal, we have notified those affected.

At Dropbox, our number one company value is being worthy of trust. In the interest of transparency, and to contribute to the industry’s understanding of these types of threats, we want to share what happened and how we responded.

How we handled a recent phishing incident that targeted Dropbox

dropbox.tech

upnorth · Nov 2, 2022

Dropbox determined it had fallen victim to a phisher who had impersonated the code integration and delivery platform CircleCI.

Dropbox is a CircleCI user "for select internal deployment." Dropbox employees use their GitHub accounts to access Dropbox's private code repos, and their GitHub login details also get them into CircleCI. You know where this is going: get a Dropbox engineer's GitHub login details by pretending to be CircleCI, use that information to get into the Dropbox GitHub organization, and then rifle through the private repos. Interestingly, just three weeks before the attack, GitHub warned of phishing campaigns that involved impersonation of CircleCI. Dropbox appears not to have got the memo, because in early October its staff were sent – and one or more bods fell for – emails that masqueraded as legit CircleCI messages.