Dropbox GitHub data breach

Even the oldest file sharing services can fall to a good old fashioned phishing attack.

Back in 2007, Drew Houston, Dropbox’s founder, got sick and tired of losing his USB drive. So he created the first cloud storage service for individual/small businesses. It was a new, exciting idea and everyone loved it. They loved it so much that dozens of cheap or free cloud storage providers and services exist today. But Dropbox remains popular as its current market cap of $7.87 billion shows. But Dropbox was also recently hit by a phishing attack.

Oops!

The attack

Dropbox realized something was wrong after GitHub reported suspicious activity on Dropbox’s business account to the company on October 14. It turned out that an attacker “opened [their] GitHub accounts by mimicking the code integration and delivery platform CircleCI.”

If that sounds familiar, it should. GitHub reported in September that several users had targeted GitHub users by phishing attackers posing as CircleCI. The hackers then harvested their user credentials and two-factor authentication codes.

The same thing happened with Dropbox. But, and this is important, Dropbox reports, “At no time did this threat actor have access to the contents of anyone’s Dropbox account, their password, or their payment information.”

However, Dropbox itself was not so lucky. In total, 130 private Dropbox GitHub repos were accessed and copied.

These hacked repositories included copies of Dropbox-modified third-party libraries, internal prototypes, and – oh, the shame of it all! — some security team tools and configuration files.

But the intruders, the company claims, didn’t get to Dropbox’s core apps or infrastructure code. “Access to these repositories is even more restricted and strictly controlled,” the Dropbox security team said. Mind you, I would have thought that the security team’s tools and configuration files would also have the same level of security.

I’m afraid that Dropbox was more lucky than good that it didn’t copy its mission-critical files.

How it happened

How did it happen? It’s the usual phishing story. While Dropbox’s email system automatically quarantined some of the infected messages, others “landed in Dropboxers’ inboxes. These legitimate emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to send a one-time password (OTP) to the malicious website.

Dropbox should be credited for admitting this successful attack. Too many companies never acknowledge that they have been hacked. Kids, all of them, get hacked eventually. Don’t believe me? Check your email address or phone number on HaveIbeenPwned.

Scary, right?

What you can do is make it harder. That’s what Dropbox has done.

Recognize that not all types of multifactor authentication are created equal, and some are more vulnerable to phishing than others. I’m looking at you SMS-based 2-factor authentication, WebAuthn is currently the gold standard.

“Prior to this incident,” Dropbox explained, “we were already in the process of adopting this more phishing-resistant form of multi-factor authentication. Soon our entire environment will be secured by WebAuthn with hardware tokens or biometric factors.”

And Dropbox customers? Dropbox already offers WebAuthn to its customers. Visit their support page to find out how to enable it on your Dropbox account.

So remember, as CEO of iboss company iboss, Paul Martini, said: “This recent data breach is proof that even simple attack techniques like phishing are capable of affecting a company as large and sophisticated as Dropbox. Threat actors were able to to gain access and quickly go through stealing both credentials and code storage.” If you haven’t started moving your company to a zero-trust or WebAuthn security environment, you can move there now.

Finally, if you think your Dropbox account has been hacked, you can report it to Dropbox here.