top of page

Dropbox left wide open by phishing attack

Dropbox, a file hosting service owned by the American company Dropbox, Inc., revealed that threat actors used a phishing attack to successfully target and access 130 of its GitHub repositories.


On October 13, 2022, crooks impersonated the code integration and delivery platform CircleCI to gain access to one of Dropbox's GitHub accounts. Dropbox makes use of these to host public and private repositories. GitHub already warned its users about phishing emails impersonating CircleCI about two months ago.


In phishing emails sent to multiple Dropbox employees, threat actors posed as CircleCI, requesting that they visit a fake CircleCI login page, enter their GitHub credentials, and provide a one-time password to the site.


“While our systems automatically quarantined some of these emails, others landed in Dropboxers’ inboxes,” Dropbox’s team explains.


As a result, hackers gained access to one of Dropbox's GitHub organisations and copied 130 of its code repositories. These files contained modified copies of third-party libraries, internal prototypes, as well as some security tools and configuration files.



According to the security team's press release, the incident had no impact on Dropbox's core infrastructure, content, passwords, or payment information.


“We believe the risk to customers is minimal,” Dropbox’s team says.


Cybercriminals did, however, gain access to certain credentials, primarily API keys used by Dropbox developers. Its code contained several thousand names and email addresses of Dropbox employees, current and past customers, sales leads, and vendors.


Following the attack, Dropbox's team hired forensic experts to confirm the accuracy of their findings and analysis.


Further reading

 

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).

 

Comments


The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.

 

EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page