Dropbox, the cloud storage supplier, has introduced (opens in new tab) it has been the goal of a phishing assault that efficiently accessed its non-public GitHub repos. GitHub was capable of rapidly notify Dropbox of the assault, and no buyer knowledge or passwords have been affected.
The information breach came about on October 13, with Dropbox changing into conscious that issues have been amiss the following day. The attackers impersonated the CircleCI integration and supply platform that may be logged into utilizing GitHub credentials, bombarding Dropbox employees with realistic-looking phishing emails. Lots of them have been blocked by Dropbox’s inside techniques, however some received by means of – sufficient, it appears, for a minimum of one worker to go to a faux CircleCI login web page, enter their GitHub credentials, and use a {hardware} authentication key to go a one-time password to the malicious web site.
This allowed the attacker into Dropbox’s non-public Github space, from the place they copied 130 code repositories. Information accessed consists of, based on Dropbox’s assertion: “…some credentials—primarily, API keys—utilized by Dropbox builders. [It] additionally included just a few thousand names and e-mail addresses belonging to Dropbox staff, present and previous prospects, gross sales leads, and distributors.” Then later: “These repositories included our personal copies of third-party libraries barely modified to be used by Dropbox, inside prototypes, and a few instruments and configuration information utilized by the safety crew. Importantly, they didn’t embrace code for our core apps or infrastructure. Entry to these repositories is much more restricted and strictly managed.”
Again in September, GitHub warned its customers (opens in new tab) in a weblog submit about assaults focused at CircleCI, noting that “If the risk actor efficiently steals GitHub consumer account credentials, they could rapidly create GitHub private entry tokens (PATs), authorize OAuth purposes, or add SSH keys to the account as a way to protect entry within the occasion that the consumer adjustments their password.”
Dropbox was capable of lower off the attackers’ entry on the identical day it came upon concerning the intrusion, and believes the danger to prospects is minimal. The corporate can be upgrading its multi-factor authentication technique to WebAuthn—a change already in progress when the assault occurred.