How we handled a recent phishing incident that targeted Dropbox

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
We were recently the target of a phishing campaign that successfully accessed some of the code we store in GitHub. No one’s content, passwords, or payment information was accessed, and the issue was quickly resolved. Our core apps and infrastructure were also unaffected, as access to this code is even more limited and strictly controlled. We believe the risk to customers is minimal. Because we take our commitment to security, privacy, and transparency seriously, we have notified those affected and are sharing more here.

~ ~ ~

In today's evolving threat landscape, people are inundated with messages and notifications, making phishing lures hard to detect. Threat actors have moved beyond simply harvesting usernames and passwords, to harvesting multi-factor authentication codes as well. In September, GitHub detailed one such phishing campaign, in which a threat actor accessed GitHub accounts by impersonating the code integration and delivery platform CircleCI.

We recently learned that Dropbox was targeted by a similar campaign. On October 14, 2022, GitHub alerted us to some suspicious behavior that began the previous day. Upon further investigation, we found that a threat actor—also pretending to be CircleCI—accessed one of our GitHub accounts, too.

At no point did this threat actor have access to the contents of anyone’s Dropbox account, their password, or their payment information. To date, our investigation has found that the code accessed by this threat actor contained some credentials—primarily, API keys—used by Dropbox developers. The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors (for context, Dropbox has more than 700 million registered users). We take our commitment to protecting the privacy of our customers, partners, and employees seriously, and while we believe any risk to them is minimal, we have notified those affected.

At Dropbox, our number one company value is being worthy of trust. In the interest of transparency, and to contribute to the industry’s understanding of these types of threats, we want to share what happened and how we responded.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
Dropbox determined it had fallen victim to a phisher who had impersonated the code integration and delivery platform CircleCI.

Dropbox is a CircleCI user "for select internal deployment." Dropbox employees use their GitHub accounts to access Dropbox's private code repos, and their GitHub login details also get them into CircleCI. You know where this is going: get a Dropbox engineer's GitHub login details by pretending to be CircleCI, use that information to get into the Dropbox GitHub organization, and then rifle through the private repos. Interestingly, just three weeks before the attack, GitHub warned of phishing campaigns that involved impersonation of CircleCI. Dropbox appears not to have got the memo, because in early October its staff were sent – and one or more bods fell for – emails that masqueraded as legit CircleCI messages.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
This incident was 100% preventable.

Screenshot 2022-11-04 at 12.44.22.png

Image: GitHub

Screenshot 2022-11-04 at 12.44.45.png

Image: Dropbox
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top