Dropbox Data Breach Another Multifactor FailCloud Company Says User Accounts Were Not Breached, Just GitHub Code Repositories
Add DropBox to the list of tech companies experiencing a multifactor fail moment. The file storage and sharing company acknowledged Tuesday that employees fell for a well-crafted phishing campaign that gave hackers access to internal code repositories and some personally identifying information.
Hackers did not obtain access to the contents DropBox cloud storage accounts, users' passwords or their payment information, the San Francisco, Calif.-based company said. The publicly-traded company reports 700 million registered users, of which about 17 million are paying customers.
Hackers instead found and copied 130 DropBox code repositories stored on GitHub, the company says. Inside the repositories were "our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team." Not included was code for core apps or infrastructure, which DropBox says are controlled by tighter levels of security.
There was some personal data in the repositories. "The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors," the company said. DropBox says it notified affected individuals despite believing that "any risk to them is minimal."
Security experts have long recommended multifactor authentication as protection against hackers attempting to penetrate systems via stolen or inferred credentials. Threat actors are adjusting up uptake of that advice by pivoting to stealing in real time credentials, along with one-time authentication codes. The means are phishing messages and exact copies of legitimate login sites.
So it was with Dropbox. The threat actor got into the repositories after sending DropBox employees emails purporting to originate with software development platform CircleCl. The emails, sent during early October, directed DropBox coders to a malicious login page mimicking a legitimate CircleCl login page. The phishers told coders to enter their GitHub credentials, including the one-time password generated using a hardware authentication key.
The phishing campaign was similar to a campaign GitHub warned users about in September. Accounts secured by a hardware security keys were not vulnerable to the deception even users entered credentials into the fake CircleCl login page.
DropBox says the incident is pushing it to speed up internal adoption of the Web Authentication standard of authentication, a form of multifactor login that depends on authenticators such as a small USB device.