File-hosting company Dropbox revealed on Tuesday that it has suffered a phishing incident. Attackers took 130 code repositories using stolen credentials after gaining access to one of Dropbox’s GitHub accounts.
The attacker eventually succeeded with at least one target, gaining access to and copying 130 code repositories, which included customized versions of third-party libraries, prototypes of internal software projects, and a collection of tools and configuration files maintained by the Dropbox security team.
Affected employees also used their hardware authentication key to input a One-Time Password (OTP) to the malicious site.
Dropbox programmers were not the only developers targeted by the attackers. In September, GitHub warned that a threat group had begun targeting the service’s users with the same tactic: phishing emails that purported to be from CircleCI, with the goal of harvesting user credentials and the one-time passwords used by developers as a second factor of authentication.
The threat actor behind this data breach was able to gain access to a Dropbox employee’s GitHub account by impersonating the continuous integration and delivery platform CircleCI.
What is CircleCI ?
CircleCI can integrate with GitHub, enabling users to login to CircleCI using their GitHub login credentials. The threat actor took advantage of this integration by sending out what appeared to be legitimate emails from CircleCI directing Dropbox employees to sign in to CircleCI with their GitHub credentials.
Additionally, the stolen code and the data around it also included “a few thousand” names and email addresses belonging to Dropbox employees, current and past customers, sales leads and vendors.
Dropbox hopes to prevent data breaches similar to this one in the future by completing its adoption of WebAuthn.