Online cloud storage platform Dropbox has revealed it has suffered a data breach that saw hackers access internal code.
In late September, we reported how GitHub accounts had been stolen by fake CircleCI employees - and now it seems that Dropbox also fell prey to the same attack.
In a blog post (opens in new tab), Dropbox said GitHub drew its attention towards suspicious activities in its account, in mid-October. After a more thorough investigation, Dropbox found that a threat actor pretending to be from CircleCI was the one accessing one of its GitHub accounts.
API keys and email addresses
While any perimeter breach is a potential disaster, Dropbox’s announcement gives the impression that this was no more than a minor incident.
“At no point did this threat actor have access to the contents of anyone’s Dropbox account, their password, or their payment information,” the blog reads.
Whoever was behind the attack managed to access some company code that contained API keys used by Dropbox developers. They also accessed identity data (opens in new tab), including “a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors”, out of a database of more than 700 million registered users.
“While we believe any risk to them is minimal, we have notified those affected,” the company concluded.
To prevent similar incidents from happening again, Dropbox says it will be accelerating its adoption of WebAuthn, a open standard that allows web servers to register and authenticate users using asymmetric cryptography, instead of a password. For Dropbox, WebAuthn is “currently the gold standard” in multi-factor authentication.
> Dropbox wants to cut down on the number of apps you use at work (opens in new tab)
> What is phishing and how dangerous is it? (opens in new tab)
> These are the best firewalls right now (opens in new tab)
“Soon, our whole environment will be secured by WebAuthn with hardware tokens or biometric factors,” the company added.
The CircleCI impersonation attack against GitHub users was first spotted in late September this year.
At the time, it was reported that if threat actors manage to get into one, the next thing they’ll do is create personal access tokens (PATs), authorize OAuth apps, and even add SSH keys to the account, to make sure they retain the access even after the owners change the password. After that they’ll take data from private repositories. The company has since blocked a number of accounts, confirmed to have been compromised. All potentially impacted users have had their account passwords reset.
- Here are the best endpoint protection (opens in new tab) services around