The Dropbox GitHub Data Breach
Even the oldest file-sharing services can fall to a good old-fashioned phishing attack.
Back in 2007, Drew Houston, Dropbox’s founder, got sick and tired of losing his USB drive. So, he created the first individual/small business cloud storage service. It was a new, exciting idea, and everyone loved it. They loved it so much that dozens of cheap or free cloud storage providers and services exist today. But Dropbox is still popular as its current market cap of $7.87 billion shows. But Dropbox also recently got smacked by a phishing attack.
Dropbox realized something was wrong after GitHub reported suspicious activity on Dropbox’s corporate account to the company on Oct. 14. It turned out, an attacker “accessed [their] GitHub accounts by impersonating the code integration and delivery platform CircleCI.”
If that sounds familiar, it should. GitHub reported this September that multiple users had been targeting GitHub users by phishing attackers impersonating CircleCI. The hackers then harvested their user credentials and two-factor authentication codes.
The same thing happened to Dropbox. But and this is important, Dropbox reports, “At no point did this threat actor have access to the contents of anyone’s Dropbox account, their password, or their payment information.”
However, Dropbox itself wasn’t so lucky. Altogether, 130 private Dropbox GitHub repos were opened up and copied.
These hacked repositories included copies of Dropbox-modified third-party libraries, internal prototypes, and — oh, the shame of it all! — some security team tools and configuration files.
But, the invaders, the company claims, did not get to Dropbox’s core apps or infrastructure code. “Access to those repositories is even more limited and strictly controlled,” the Dropbox security team stated. Mind you, I would have thought the security team’s tools and configuration files would have that same level of security as well.
I fear Dropbox was more lucky than good in not having its mission-critical files copied off.
How It Happened
How did it happen? It’s the usual phishing story. While Dropbox’s e-mail system automatically quarantined some of the infected messages, “others landed in Dropboxers’ inboxes. These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site.”
Dropbox is to be credited for admitting to this successful attack. Far too many companies never acknowledge that they’ve been hacked. Kids, everyone, gets hacked eventually. Don’t believe me? Check your e-mail address or phone number on HaveIbeenPwned.
Scary, isn’t it?
What you can do is make it harder. That’s what Dropbox has done.
Recognizing that not all types of multifactor authentication are created equal, and some are more vulnerable to phishing than others. I’m looking at you SMS-based 2 Factor Authentication, WebAuthn is currently the gold standard.
“Prior to this incident,” Dropbox explained, “we were already in the process of adopting this more phishing-resistant form of multifactor authentication. Soon, our whole environment will be secured by WebAuthn with hardware tokens or biometric factors.”
Oh, and Dropbox customers? Dropbox already offers WebAuthn to its customers. Visit their help center to learn how to enable it on your Dropbox account.
So, keep in mind, as zero trust security company iboss CEO Paul Martini, said, “This recent data breach is evidence that even simple attack techniques like phishing are capable of impacting a company as large and sophisticated as Dropbox. Threat actors were able to gain access and quickly move through stealing both credentials and code repositories.” If you haven’t started moving your company to a zero trust or WebAuthn security environment, get moving there now.
Finally, if you think your Dropbox account has been hacked, you can report it to Dropbox here.