File hosting service Dropbox on Tuesday disclosed that it was the victim of a phishing campaign that allowed unidentified threat actors to gain unauthorized access to 130 of its source code repositories on GitHub.
“These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team,” the company revealed in an advisory.
The breach resulted in the access of some API keys used by Dropbox developers as well as “a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors.”
It emphasized, however, that the repositories did not include any source code for its primary applications or infrastructure.
As of August 2022, Dropbox, which provides cloud storage, data backup, and document signing services among other things, had 700 million registered users and over 17.37 million paid users.
The information was revealed more than a month after GitHub and CircleCI both issued warnings about phishing attempts to acquire GitHub credentials via phony notifications posing as coming from the CI/CD platform.
Early in October, the San Francisco-based company reported that “several Dropboxers received phishing emails impersonating CircleCI,” some of which managed to get past its automated spam filters and end up in recipients’ inboxes.
According to Dropbox, “These emails appeared to be from reputable sources and instructed recipients to visit a phony CircleCI login page, check in with their GitHub username and password, and then use their hardware authentication key to send a One Time Password (OTP) to the malicious website.
The company did not specify how many of its employees were the victims of the phishing scam, but it did state that it immediately rotated all exposed developer credentials and alerted law enforcement.
However, it claimed that it had not found any proof that any client data had been stolen as a result of the incident. It said that it had modified its two-factor authentication systems to enable hardware security keys for phishing resistance.
“Vigilant professionals can be misled by a thoughtfully written message provided in the right way at the right time,” the organization claimed. This explains why phishing is still so effective today.