Dropbox recently announced that it suffered a security breach after cybercriminals gained access to one of its GitHub accounts through a phishing scam, resulting in 130 code repositories stolen.
According to the company, the breach was back on October 14 when GitHub alerted Dropbox to a suspicious account behavior that began the previous day. In its investigation, Dropbox found that a threat actor was impersonating the code integration and delivery platform CircleCI, which multiple Dropbox employees use.
In the phishing message, the recipient is asked to sign in to their GitHub account through CircleCI and accept the latter"s new terms of use and privacy policy to continue using the service. If they click the link on the message, they will be asked to enter their GitHub username and password. If the user provides these, the credentials will be sent to the cybercriminals and used for financial and identity theft.
To make things worse, the recipient is also asked to use their hardware authentication key to provide a One Time Password (OTP) to the malicious site.
This scheme eventually succeeded, with the attackers gaining access to one of Dropbox"s GitHub organizations and stealing 130 of its code repositories. According to Dropbox, these repositories included copies of third-party libraries slightly modified for use by the company, internal prototypes, and some tools and configuration files used by their security team. Fortunately, code for Dropbox"s core apps or infrastructure was not affected by the breach. Dropbox also added that the threat actor did not have access to the contents of their customers" Dropbox account, password, or payment information.
In response to the incident, Dropbox said that they are accelerating their adoption of WebAuthn. WebAuthn is a browser-based application programming interface that enables secure user authentication by using registered devices like phones and laptops as passwords.
Source: Dropbox via BleepingComputer