Dropbox security incident: hackers accessed to 130 GitHub source code repositories

The well-known cloud storage provider Dropbox recently had a major security incident. Its employees received phishing emails to steal GitHub credentials through fake notifications purporting to be from the CI/CD platform, but they actually clicked to log in and successfully logged in with their own hardware security keys.

Fortunately, the 130 code repositories stolen this time are only slightly modified versions of the third repository, so there is no private information and no leakage of internal sensitive data. The customer’s account and password are safe.

Dropbox security incident

These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team,” the company revealed in an advisory.

A subsequent investigation found that on October 14, Github sent a security alert to Dropbox administrators, saying that some employee accounts had suspicious behavior, and then Dropbox began an investigation.

During the investigation, Dropbox found that hackers posing as the CircleCI code integration and delivery platform used by the company sent phishing emails to employees claiming that the CircleCI service agreement had changed, users must agree to the new agreement to continue using their accounts.

These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site,” Dropbox wrote.
To make matters worse, the hacker also asked the victim to provide a one-time verification code using a hardware security key on the phishing site, which eventually led to the hacker successfully logging into Github and then stealing the repository. Fortunately, no sensitive data was leaked in this security incident, but Dropbox had to strengthen security training for employees.