cloud storage service drop box shared details of how he was successfully targeted by a Phishing campaign in which a threat actor impersonated the code onboarding and delivery platform CircleCI to access one of its GitHub accounts and compromise code and data.
The information consulted included API keys used by Dropbox developers, and data including the names and email addresses of a very limited number of employees, customers, prospects and suppliers, described as thousands.
GitHub previously warned of a similar phishing campaign in which threat actors impersonated CircleCI in their phishing lures.
“No one had access to content, passwords, or payment information, and the issue was quickly resolved,” said a Dropbox spokesperson. “Our core applications and infrastructure were also unaffected, as access to this code is even more limited and strictly controlled.
“We believe the risk to customers is minimal. At no time did this threat actor have access to the contents of anyone’s Dropbox account, password, or payment information.
The company added: “We take our commitment to protecting the privacy of our customers, partners and employees seriously, and while we believe any risk to them is minimal, we have notified those affected.”
The breach came to light in mid-October when a number of “Dropboxers” received emails that appeared to come from CircleCI, which is used by Dropbox for “certain internal deployments”. Some of these emails were intercepted and quarantined, but others passed through Dropbox’s cyber net.
The emails instructed their recipients to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One-time password to the malicious site. In one case, the threat actor was successful, and from there was able to copy 130 code repositories.
GitHub alerted Dropbox on October 14 and the threat actor was kicked out the same day, after which Dropbox’s security team took swift action to rotate the exposed credentials and determine what data was accessed.
To date, its investigations and monitoring, with the support of a third-party cybercrime team, have found no evidence of successful abuse of the exposed data.
“We know that it is impossible for humans to detect all phishing lures,” the company said. “For many people, clicking on links and opening attachments is a fundamental part of their job. Even the most skeptical and vigilant professional can fall prey to a carefully crafted message, delivered in the right way to the right time. This is precisely why phishing remains so effective and why technical controls remain the best protection against these types of attacks. As threats become more sophisticated, the more important these controls become.
“Our security teams work tirelessly to ensure that Dropbox remains trusted by our customers. While the information this threat actor had access to was limited, we hold ourselves to a higher standard. We are sorry to have failed and apologize for any inconvenience.
Following the cyberattack, it is now understood that Dropbox is advancing its adoption of WebAuthn for credential management, which he described as the “gold standard” of multi-factor authentication (MFA). He had already embarked on adopting WebAuthn MFA before the attack, and the offer to customers if they wish.
“Phishing continues to grow in popularity among hackers as other security measures improve while remaining effective and inexpensive,” said Martin Jartelius, chief security officer at Outpost24.
“There are some things that can be done to circumvent these specific threats, including the use of in-browser password managers where the password manager will not have a corresponding domain and therefore will not submit password in cases of phishing, or the use of YubiKeys which validate the site’s identity claim for the second factor with the same effect.
Jartelius added: “What we can note positive here is that while the affected user had access to repositories made available to most developers in the organization, this did not include product repositories. The least important part is that the personal data of staff and partners has been stored in git repositories. Hopefully this is only relevant contact information for developers, but based on published information, this is not is not entirely clear.
Sam Curry, chief security officer at Cyberseasonsaid Dropbox’s ultimate role as a “super-aggregator of data” made it an attractive and potentially very lucrative target for threat actors, which made Dropbox harder to attack.
“Even if they do security better, they have to do it much better than a normal company of their size and revenue to avoid being a victim,” Curry said.
“From the outside, it looks like Dropbox knows its own weaknesses and has plans that it is accelerating to improve identity security and strengthen authentication and authorization.
“My advice is to keep going, look for single points of failure, be as transparent as possible after the incident, update risk assessments, learn from lessons, keep acting with the people in mind first. customers and partners. The story will see you as a hero or a villain, never as a victim, so make decisions to be the hero.