Dropbox reveals data breach after phishing attack let hackers access private code

News
By published

Incident is more of a nuisance than an actual problem, Dropbox says

data privacy
(Image credit: Shutterstock / Zeeker2526)

Online cloud storage platform Dropbox has revealed it has suffered a data breach that saw hackers access internal code.

In late September, we reported how GitHub accounts had been stolen by fake CircleCI employees - and now it seems that Dropbox also fell prey to the same attack.

In a blog post, Dropbox said GitHub drew its attention towards suspicious activities in its account, in mid-October. After a more thorough investigation, Dropbox found that a threat actor pretending to be from CircleCI was the one accessing one of its GitHub accounts.

API keys and email addresses

While any perimeter breach is a potential disaster, Dropbox’s announcement gives the impression that this was no more than a minor incident. 

“At no point did this threat actor have access to the contents of anyone’s Dropbox account, their password, or their payment information,” the blog reads. 

Whoever was behind the attack managed to access some company code that contained API keys used by Dropbox developers. They also accessed identity data, including “a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors”, out of a database of more than 700 million registered users. 

“While we believe any risk to them is minimal, we have notified those affected,” the company concluded.

To prevent similar incidents from happening again, Dropbox says it will be accelerating its adoption of WebAuthn, a open standard that allows web servers to register and authenticate users using asymmetric cryptography, instead of a password. For Dropbox, WebAuthn is “currently the gold standard” in multi-factor authentication.

Read more

> Dropbox wants to cut down on the number of apps you use at work

> What is phishing and how dangerous is it?

> These are the best firewalls right now

“Soon, our whole environment will be secured by WebAuthn with hardware tokens or biometric factors,” the company added. 

The CircleCI impersonation attack against GitHub users was first spotted in late September this year.

At the time, it was reported that if threat actors manage to get into one, the next thing they’ll do is create personal access tokens (PATs), authorize OAuth apps, and even add SSH keys to the account, to make sure they retain the access even after the owners change the password. After that they’ll take data from private repositories. The company has since blocked a number of accounts, confirmed to have been compromised. All potentially impacted users have had their account passwords reset. 

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
Avast cybersecurity
Zapier tells customers their data may have been accessed
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
These fake GitHub "security alerts" could actually let hackers hijack your account
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
GrubHub app on a mobile phone
GrubHub reveals massive data breach - customers, drivers, businesses all affected, here's what we know
A man looking at a tablet with a brown Best Buy package on the desk in front of him
Huge Christmas data breach - 14 million shipping records leaked, putting shoppers at risk
Latest in Security
ransomware avast
Ransomware attacks are costing Government offices a month of downtime on average
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
Data leak
Top collectibles site leaks personal data of nearly a million users
Spyware
Stalkerware data breach potentially hits over 2 million users, including thousands of Apple devices
An American flag flying outside the US Capitol building against a blue sky
Five Eyes "cannot replace US intel in Ukraine", claims former US Cyber Command Chief
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Criminals are using a virtual hard disk image file to host and distribute dangerous malware
Latest in News
Apple iPhone 16 Pro Max REVIEW
The latest batch of leaked iPhone 17 dummy units appear to show where glass meets metal on the new designs
Hornet swings their weapon in mid air
Hollow Knight: Silksong could potentially launch this year and I reckon it could be a great game for an Xbox handheld
ransomware avast
Ransomware attacks are costing Government offices a month of downtime on average
Cassian looking at someone off-camera from a TIE fighter cockpit in Andor season 2
Star Wars: Andor creator is taking a stance against AI by canceling plans to release its scripts, and I completely get why
Nintendo x Seattle Mariners partnership
The Nintendo Switch 2 logo will be featured on the Seattle Mariners' baseball jerseys this season
Apple iPhone 16 Pro Max Review
Siri's chances to beat ChatGPT just got a whole lot better
More about security
ransomware avast

Ransomware attacks are costing Government offices a month of downtime on average
Data leak

Top collectibles site leaks personal data of nearly a million users
I Hate This Place artwork

Bloober Team is keeping busy as it announces its next survival horror game I Hate This Place and offers a new look at its upcoming title Cronos: The New Dawn
See more latest
Most Popular
I Hate This Place artwork
Bloober Team is keeping busy as it announces its next survival horror game I Hate This Place and offers a new look at its upcoming title Cronos: The New Dawn
Equal1 Bell-1 quantum computer
This is the first quantum computer you can actually buy (and use, and power): Equal1's Bell-1 uses a standard power socket
Ryzen AI Max+ 395
Obscure Chinese PC vendor gets preferential AMD treatment as Lisa Su signs first desktop PC with Ryzen AI Max+ 395 ahead of May launch
Apple iPhone 16 Pro Max REVIEW
The latest batch of leaked iPhone 17 dummy units appear to show where glass meets metal on the new designs
SanDisk Slim Dual Drive
This is the first 2TB dual-port external SSD ever and it's not as expensive as you may think
Bimawen B15.6 TV Pro
A sign of things to come? This portable monitor comes with Google TV, a remote control and a very well hidden Android PC
Cassian looking at someone off-camera from a TIE fighter cockpit in Andor season 2
Star Wars: Andor creator is taking a stance against AI by canceling plans to release its scripts, and I completely get why
Kioxia LC9 2.5 SSD
After 7 years, Exadrive's 100TB 2.5-inch SSD is finally superseded by a far superior 122.88TB model from Kioxia
Nintendo x Seattle Mariners partnership
The Nintendo Switch 2 logo will be featured on the Seattle Mariners' baseball jerseys this season
ransomware avast
Ransomware attacks are costing Government offices a month of downtime on average