Cloud storage service Dropbox has been sharing details of how it was successfully targeted by a phishing campaign in which a threat actor impersonated the code integration and delivery platform CircleCI to access one of its GitHub accounts and compromise code and data.
The information accessed included API keys used by Dropbox’s developers, and data including the names and email addresses of a very limited number of employees, customers, sales leads and vendors, described as in the thousands.
GitHub had previously warned against a similar phishing campaign in which threat actors impersonated CircleCI in their phishing lures.
“No one’s content, passwords or payment information was accessed, and the issue was quickly resolved,” said a Dropbox spokesperson. “Our core apps and infrastructure were also unaffected, as access to this code is even more limited and strictly controlled.
“We believe the risk to customers is minimal. At no point did this threat actor have access to the contents of anyone’s Dropbox account, their password or their payment information.”
The firm added: “We take our commitment to protecting the privacy of our customers, partners and employees seriously, and while we believe any risk to them is minimal, we have notified those affected.”
The breach came to light in mid-October when a number of “Dropboxers” received emails seeming to be from CircleCI, which is used by Dropbox for “select internal deployments”. Some of these emails were intercepted and quarantined, but others made it through Dropbox’s cyber dragnet.
The emails directed their recipients to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key, to pass a one time password to the malicious site. In one instance, the threat actor was successful, and from there was able to copy 130 code repositories.
GitHub alerted Dropbox on 14 October, and the threat actor was kicked out that same day, after which Dropbox’s security team took swift action to rotate exposed credentials and determine what data was accessed.
To date, its investigations and monitoring, with the support of a third-party cyber forensics team, have found no evidence of successful abuse of the exposed data.
“We know it’s impossible for humans to detect every phishing lure,” said the firm. “For many people, clicking links and opening attachments is a fundamental part of their job. Even the most sceptical, vigilant professional can fall prey to a carefully crafted message delivered in the right way at the right time. This is precisely why phishing remains so effective – and why technical controls remain the best protection against these kinds of attack. As threats grow more sophisticated, the more important these controls become.
“Our security teams work tirelessly to keep Dropbox worthy of our customers’ trust. While the information accessed by this threat actor was limited, we hold ourselves to a higher standard. We’re sorry we fell short, and apologise for any inconvenience.”
As a result of the cyber attack, Dropbox is now understood to be bringing forward its adoption of WebAuthn for credential management, which it described as the “gold standard” of multi-factor authentication (MFA). It had already embarked on adopting WebAuthn MFA before the attack, and offers it to customers if wanted.
“Phishing continues to grow in popularity among hackers as other security measures improve while it remain effective and cheap,” said Martin Jartelius, chief security officer at Outpost24.
“There are some things that can be made to circumvent those specific threats, including using password managers that are browser integrated where the password manager will not have a matching domain and hence not submit a password in phishing cases, or the use of YubiKeys that validate the claim for the identity of the site for the second factor with the same effect.”
Jartelius added: “What we can note here that is positive is that while the user affected had access to repos made available to most developers in the organisation, this did not include the core product repositories. The less great part is that both staff and partner personal data was stored in git repositories. Hopefully, this only relates to contact information relevant to developers, but from the released information this is not entirely clear.”
Sam Curry, chief security officer at Cybereason, said Dropbox’s ultimate role as a “super-aggregator of data” made it an attractive and potentially highly lucrative target for threat actors, which put the onus on Dropbox to make itself harder to attack.
“Even if they do security better, they have to do it a lot better than a normal company of their size and revenue to avoid being a victim,” said Curry.
“It seems from the outside looking in that Dropbox know their own weaknesses and have plans they are accelerating to improve identity security and strengthen authentication and authorisation.
“My advice is to keep going, look for single points of failure, be as transparent as you can post-incident, update risk assessments, get those lessons learned, continue to act with customers and partners in mind first and foremost. History will see you as a hero or a villain, never a victim, so make decisions to be the hero.”