Dropbox reveals data breach after phishing attack let hackers access private code

data privacy
(Image credit: Shutterstock / Zeeker2526)

Online cloud storage platform Dropbox has revealed it has suffered a data breach that saw hackers access internal code.

In late September, we reported how GitHub accounts had been stolen by fake CircleCI employees - and now it seems that Dropbox also fell prey to the same attack.

In a blog post, Dropbox said GitHub drew its attention towards suspicious activities in its account, in mid-October. After a more thorough investigation, Dropbox found that a threat actor pretending to be from CircleCI was the one accessing one of its GitHub accounts.

API keys and email addresses

While any perimeter breach is a potential disaster, Dropbox’s announcement gives the impression that this was no more than a minor incident. 

“At no point did this threat actor have access to the contents of anyone’s Dropbox account, their password, or their payment information,” the blog reads. 

Whoever was behind the attack managed to access some company code that contained API keys used by Dropbox developers. They also accessed identity data, including “a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors”, out of a database of more than 700 million registered users. 

“While we believe any risk to them is minimal, we have notified those affected,” the company concluded.

To prevent similar incidents from happening again, Dropbox says it will be accelerating its adoption of WebAuthn, a open standard that allows web servers to register and authenticate users using asymmetric cryptography, instead of a password. For Dropbox, WebAuthn is “currently the gold standard” in multi-factor authentication.

“Soon, our whole environment will be secured by WebAuthn with hardware tokens or biometric factors,” the company added. 

The CircleCI impersonation attack against GitHub users was first spotted in late September this year.

At the time, it was reported that if threat actors manage to get into one, the next thing they’ll do is create personal access tokens (PATs), authorize OAuth apps, and even add SSH keys to the account, to make sure they retain the access even after the owners change the password. After that they’ll take data from private repositories. The company has since blocked a number of accounts, confirmed to have been compromised. All potentially impacted users have had their account passwords reset. 

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.