Dropbox disclosed on Tuesday that it suffered a data breach involving threat actors stealing code from 130 repositories after gaining access to a GitHub account using employee credentials obtained in a phishing attack.
The cloud giant said it discovered the breach on October 14 when GitHub notified it of suspicious activity that started the previous day.
“In early October, multiple Dropboxers received phishing emails impersonating CircleCI, with the intent of targeting our GitHub accounts (a person can use their GitHub credentials to log in to CircleCI).”
The company added that while its systems automatically quarantined some of these emails, others landed in Dropboxers’ inboxes.
“These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One-Time Password (OTP) to the malicious site.”
This eventually succeeded, giving the threat actor access to one of Dropbox's GitHub organizations, where they proceeded to copy 130 of their code repositories.
Dropbox believes the threat actors behind the attack are the same that targeted GitHub users in September by impersonating the code integration and delivery platform CircleCI, which Dropbox also uses for select internal deployments.
“At no point did this threat actor have access to the contents of anyone’s Dropbox account, their password, or their payment information,” the company clarified.
“To date, our investigation has found that the code accessed by this threat actor contained some credentials—primarily, API keys—used by Dropbox developers.”
Additionally, the stolen code and the data around it also included “a few thousand” names and email addresses belonging to Dropbox employees, current and past customers, sales leads and vendors.
“We believe the risk to customers is minimal,” Dropbox wrote. “Because we take our commitment to security, privacy, and transparency seriously, we have notified those affected.”
The data breach comes months after Paolo Passeri, cyber intelligence principal at Netskope, highlighted the role of cloud services in the hybrid war in Ukraine.