Most organizations prefer to maintain as much secrecy as possible in the face of a hacker attack or something similar. As dropbox it was different. The company began the month of November recognizing an invasion that resulted in the capturing 130 of your private repositories on GitHub.
According to Dropbox, the action was identified on October 14 of this year, when GitHub alerted the company to suspicious activity in its repositories (online environments that store and control project source code versions).
After a rigorous investigation, Dropbox’s security experts confirmed that one of their GitHub accounts was improperly accessed the day before.
If we go back a little in time, we will find that in September, the GitHub warned of a phishing campaign which aimed to steal login data and even two-step authentication codes. This action targeted users of the CircleCI integration platform.
Well, the invasion of Dropbox’s repositories was based precisely on an agent who, posing as a representative of CircleCI, managed to access one of the company’s accounts on GitHub.
The action was taken from emails instructing Dropbox developers to log in to a fake CircleCI page. Some of these messages were barred, but others reached the recipients.
At least one of the employees missed the trap and, using his hardware authentication key, passed a one-time password (OTP) to the attackers.
Subsequently, the account in question on GitHub was hacked. Dropbox estimates that at least 130 of its repositories were captured due to unauthorized access.
Core apps not affected
In your note about the incident, Dropbox explains that the leak did not include the source code of its core applications or infrastructure. “Access to these repositories is even more limited and strictly controlled,” adds the company.
The compromised repositories have external libraries adapted for internal projects, prototypes and some tools used by the security team, basically.
Employee credentials, keys to APIsas well as lists with a few thousand names and email addresses of employees and customers were also compromised (but not access to these accounts themselves).
The company explains that no user content, passwords or payment information was included in the leak, however.
And now?
It is clear that a finding like this worries, even more in a service that proposes itself to keep data in a confidential way. That’s why Dropbox apologized for the incident and promised to take action.
The most important of these is to accelerate the adoption of the WebAuthn. This is the name of a standard that allows access to services through a USB key, a specific application or a fingerprint reader, for example.
The episode also serves as a general warning about the importance of using additional security mechanisms and guidance against phishing. The fact that one or more Dropbox developers have fallen for the trap makes it clear that no one is immune from the problem.
https://tecnoblog.net/noticias/2022/11/02/130-repositorios-de-codigo-do-dropbox-sao-roubados-em-ataque-de-phishing/