- Apr 24, 2016
We were recently the target of a phishing campaign that successfully accessed some of the code we store in GitHub. No one’s content, passwords, or payment information was accessed, and the issue was quickly resolved. Our core apps and infrastructure were also unaffected, as access to this code is even more limited and strictly controlled. We believe the risk to customers is minimal. Because we take our commitment to security, privacy, and transparency seriously, we have notified those affected and are sharing more here.
~ ~ ~
In today's evolving threat landscape, people are inundated with messages and notifications, making phishing lures hard to detect. Threat actors have moved beyond simply harvesting usernames and passwords, to harvesting multi-factor authentication codes as well. In September, GitHub detailed one such phishing campaign, in which a threat actor accessed GitHub accounts by impersonating the code integration and delivery platform CircleCI.
We recently learned that Dropbox was targeted by a similar campaign. On October 14, 2022, GitHub alerted us to some suspicious behavior that began the previous day. Upon further investigation, we found that a threat actor—also pretending to be CircleCI—accessed one of our GitHub accounts, too.
At no point did this threat actor have access to the contents of anyone’s Dropbox account, their password, or their payment information. To date, our investigation has found that the code accessed by this threat actor contained some credentials—primarily, API keys—used by Dropbox developers. The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors (for context, Dropbox has more than 700 million registered users). We take our commitment to protecting the privacy of our customers, partners, and employees seriously, and while we believe any risk to them is minimal, we have notified those affected.
At Dropbox, our number one company value is being worthy of trust. In the interest of transparency, and to contribute to the industry’s understanding of these types of threats, we want to share what happened and how we responded.