Dropbox appears to have been successfully phished, and the attackers raided company GitHub repositories for code and keys. The company says that its customers are not at any risk directly related to the security breach, but the breadth of internal information that was stolen remains unknown.
GitHub repositories may have contained sensitive internal code, access keys
The security breach was traced back to an employee that followed a phishing link to a bogus login page and entered their credentials on October 13. However, the attacker appeared to be specifically targeting the CircleCI DevOps integration platform; GitHub credentials can be used as a login for this system, which is what happened in this case. The attackers then took the credentials and used them to raid some 130 GitHub repositories belonging to Dropbox.
Dropbox employees are issued hardware security keys as a secondary login verification method, but this did not seem to help in this case. The company issued a statement indicating that it plans to move to a more robust MFA method due to the security breach.
It is unknown exactly what the method of attack was, but third party platform phishing of this sort has become popular and common among criminals in recent months. Much of this activity is driven by automated bots that lead with an email, and then signal an operator for escalation to more sophisticated measures (like a follow-up phone call) when a potential victim is on the hook.
In terms of what was stolen in the security breach, Dropbox said that sales leads, employee and vendor information was limited to some lists that only contained names and email addresses (with several thousand individuals impacted). The contents of the GitHub repositories are more concerning, but there Dropbox would only confirm that some developer API keys were taken along with company code.
Security breach could create future problems
No more than a relative handful of Dropbox customers appear to have had an email address exposed (and no further contact or payment information), but the security breach could come back to haunt the company depending on exactly what was taken from the GitHub repositories. Dropbox has not released nearly enough information about the incident to make any kind of useful assessment about that possibility.
It is also not unheard of for security breaches to expand in scope as investigations unfold. There are numerous cases where the initial estimate was far too conservative, and the eventual damage was much greater than originally reported. Dropbox has said that “sensitive data” was not included in the materials taken from the GitHub repositories, but it is very difficult to say that with certainty until the full impact is mapped out. Dropbox does not yet have any security recommendations for customers, but keeping an eye out for further announcements is definitely a prudent idea.