Personal info and data safe, stolen code not critical, apparently
The recent dropbox phishing attack shook the tech giant a bit. Dropbox has said it was successfully phished, resulting in someone copying 130 of its private GitHub code repositories and swiping some of its secret API credentials.
Cloud storage locker on dropbox phishing attack
The cloud storage locker on Tuesday detailed the intrusion, and stated “no one’s content, passwords, or payment information was accessed, and the issue was quickly resolved.”
“We believe the risk to customers is minimal,” the biz added.
The security snafu came to light on October 13 when Microsoft’s GitHub detected suspicious behavior on Dropbox’s corporate account. GitHub let Dropbox know the next day, and the cloud storage outfit investigated. Dropbox determined it had fallen victim to a phisher who had impersonated the code integration and delivery platform CircleCI.
Dropbox employees and private codes
Dropbox is a CircleCI user “for select internal deployment.” Dropbox employees use their GitHub accounts to access Dropbox’s private code repos, and their GitHub login details also get them into CircleCI. You know where this is going: get a Dropbox engineer’s GitHub login details by pretending to be CircleCI, use that information to get into the Dropbox GitHub organization, and then rifle through the private repos.
Interestingly, just three weeks before the attack, GitHub warned of phishing campaigns that involved impersonation of CircleCI. Dropbox appears not to have got the memo, because in early October its staff were sent – and one or more bods fell for – emails that masqueraded as legit CircleCI messages.
Explanation of the dropbox phishing attack
“These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site,” Dropbox’s explanation states. That site would harvest the entered login details so that miscreants could use the info and log into a victim’s GitHub account, and get into the work repos.