Dropbox ‘Hacker’ Didn’t Steal Passwords or Data from 700 Million Users

As news updates about Dropbox seemingly fell victim to hackers in October, here’s what actually happened.

The hugely popular Dropbox file hosting service has been hacked. Or at least, you could be forgiven for thinking so, given the story that’s currently starting to break following a post from the Dropbox security team on November 1st.

This post from the Dropbox security team confirms that a threat actor did indeed gain access to certain Dropbox source code. However, this code was contained in 130 GitHub repositories.

MORE FROM FORBESFormer UK PM Liz Truss’ phone allegedly hacked by Kremlin spies: ReportOf Davey Winder

How did a threat actor breach the security of the Dropbox GitHub repository?

Like many organizations, Dropbox uses GitHub to host multiple private repositories. In early October, the Dropbox security team became aware of a phishing campaign that apparently targeted employees. The phishing email purported to originate from code integration and delivery platform CircleCI; a company used by Dropbox for specific internal code distributions. “While our systems automatically quarantined some of these emails, others ended up in Dropbox’s inboxes,” the report says.

These used a realistic template that directed recipients to what appeared to be a CircleCI login page where they were directed to enter their GitHub account credentials. Although protected by a second authentication factor, in this case, a hardware authentication system to generate a one-time password, the threat actor was able to eventually successfully use both to gain access to “one of our GitHub organizations where they continued copying 130 of our code stores,” the security team confirms.

On October 14th, GitHub notified Dropbox of suspicious behavior from the previous day. Threat access was disabled the same day, and Dropbox security teams “took immediate action to coordinate the rotation of all visible developer credentials and determine what, if any, customer data was accessed or stolen.”

Dropbox also brought in external forensics teams to verify the investigative findings, report the incident to law enforcement and relevant regulators.

MORE FROM FORBESEmergency security update for Chrome as Google confirms another 0-day exploitOf Davey Winder

What Dropbox data was accessed?

So, what did the threat actor access? The Dropbox security team says that “these repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team. Importantly, they did not include code for our core apps or infrastructure. Access to these warehouses are even more limited and strictly controlled.”

Importantly, it’s been confirmed that at no point did the threat actor have access to anyone’s Dropbox account, password, or payment information. “Our investigation has determined that the code accessed by this threat actor contained some credentials, primarily API keys, used by Dropbox developers. The code and the data surrounding it also included a few thousand names and email addresses belonging to Dropbox employees, current and earlier. customers, prospects and suppliers,” the statement said. For context, Dropbox has more than 700 million registered users. Those who may have accessed email details have already been informed by Dropbox.