Dropbox Hacked - Phishers Access Internal Resources

Phishers have broken into the infrastructure of cloud storage provider Dropbox and accessed internal GitHub code repositories, Dropbox has revealed in a notice.

In September, GitHub shared with its clients that an unknown threat actor was impersonating code integration and delivery platform CircleCI. Dropbox employees use their GitHub credentials to also log into and work in the CircleCI environment.

On Oct. 14, Dropbox learned it was targeted with a similar - if not the same - phishing lure, prompting GitHub to alert the cloud storage outfit of the mischief. Apparently, that notice arrived too late.

“Upon further investigation, we found that a threat actor—also pretending to be CircleCI—accessed one of our GitHub accounts, too,” Dropbox disclosed.

‘A few thousand’ potentially compromised

The code the hacker(s)  accessed contained credentials used by Dropbox developers, as well as “a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors.”

The company clarifies it has more than 700 million users on record, seemingly to downplay the event. But that doesn’t mean ‘thousands’ can suddenly be considered a small figure - especially if those people actually end up compromised by the hack.

Customer Dropbox contents safe

It also clarifies that, “at no point did this threat actor have access to the contents of anyone’s Dropbox account, their password, or their payment information” - at least to the company’s knowledge at this stage of the investigation.

“We take our commitment to protecting the privacy of our customers, partners, and employees seriously, and while we believe any risk to them is minimal, we have notified those affected,” Dropbox says.

Dropbox to harden security defenses

Dropbox revoked the threat actor’s access to GitHub on the day it learned of the suspicious activity. Its security teams quickly started to rotate all exposed developer credentials and began an investigation to determine what customer data—if any—was accessed or stolen. After reviewing its logs, Dropbox found no evidence of successful abuse.

The company has hired outside forensic experts to verify its findings and is now hardening its defenses by accelerating adoption of WebAuthn.

Finally, Dropbox has reported the event to regulators and law enforcement.

Users who notice suspicious behavior on their account are instructed to report the activity at dropbox.com/report_abuse.

Bitdefender Digital Identity Protection offers continuous monitoring of your online accounts and fires out an instant alert when your personal information is at risk, complete with instructions on how to address the issue.