Cloud storage service Dropbox is sharing details of how it was successfully targeted by a phishing campaign, in which a threat actor impersonated code integration and delivery platform CircleCI to access one of its GitHub accounts and compromise code and data.
The information accessed included API keys used by Dropbox developers and data leads, including the names and email addresses of a very limited number of users, customers, sales and vendors, described in the thousands. GitHub has previously warned against similar phishing campaigns, in which threat actors impersonate CircleCI in their phishing lures.
“No one can quickly access content, passwords, or payment information, and the issue is resolved,” a Dropbox spokesperson said. “Even our core apps and basic facilities are not affected, as access to this code is limited and strictly controlled.
“We believe the risk to customers is minimal. This threat actor never had access to the contents of anyone’s Dropbox account, their password, or their payment information. The firm added: “We take our commitment to protecting the privacy of our customers, partners and employees seriously, and while we believe any risk to them is minimal, we are justified.”
The breach, which uses Dropbox for “select internal deployments,” came to light in mid-October when CircleCI received several emails from “Dropboxers.” Some of these emails were intercepted and intercepted, discovered by Dropbox’s cyber dragnet.
The emails instruct their recipients to visit the fake Circle’s login page, enter their GitHub username and password, and then send a one-time password to the malicious site using their hardware authentication key. In one case, the threat actor succeeded and was able to copy 130 code repositories from there.
GitHub alerted Dropbox on Oct. 14 and removed the threat actor the same day, after which Dropbox’s security team moved quickly to change the exposed credentials and confirm what data was accessed. To date, its investigations and monitoring, supported by a third-party cyber forensics team, have found no evidence of successful misuse of the exposed data.
“We know that it is impossible for humans to detect every fishing lure,” the organization said in a release. “For many people, clicking links and opening attachments is a basic part of their job. Even the most skeptical, cautious expert can fall prey to a carefully crafted message delivered in the right way at the right time. Why phishing is so effective – and why technical controls are the best defense against this type of attack. As threats grow more sophisticated, these controls become more important.
“Our security teams work tirelessly to keep Dropbox worthy of our customers’ trust. Although the information accessed by this threat actor is limited, we are held to high standards. We apologize for being short and regret anything. “
