We were recently the target of a phishing campaign that successfully accessed some of the code we store in GitHub. No one’s content, passwords, or payment information was accessed, and the issue was quickly resolved. Our core apps and infrastructure were also unaffected, as access to this code is even more limited and strictly controlled. We believe the risk to customers is minimal. Because we take our commitment to security, privacy, and transparency seriously, we have notified those affected and are sharing more here.
~ ~ ~
In today's evolving threat landscape, people are inundated with messages and notifications, making phishing lures hard to detect. Threat actors have moved beyond simply harvesting usernames and passwords, to harvesting multi-factor authentication codes as well. In September, GitHub detailed one such phishing campaign, in which a threat actor accessed GitHub accounts by impersonating the code integration and delivery platform CircleCI.
We recently learned that Dropbox was targeted by a similar campaign. On October 14, 2022, GitHub alerted us to some suspicious behavior that began the previous day. Upon further investigation, we found that a threat actor—also pretending to be CircleCI—accessed one of our GitHub accounts, too.
At no point did this threat actor have access to the contents of anyone’s Dropbox account, their password, or their payment information. To date, our investigation has found that the code accessed by this threat actor contained some credentials—primarily, API keys—used by Dropbox developers. The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors (for context, Dropbox has more than 700 million registered users). We take our commitment to protecting the privacy of our customers, partners, and employees seriously, and while we believe any risk to them is minimal, we have notified those affected.
At Dropbox, our number one company value is being worthy of trust. In the interest of transparency, and to contribute to the industry’s understanding of these types of threats, we want to share what happened and how we responded.
What happened and our response
At Dropbox, we use GitHub to host our public repositories as well as some of our private repositories. We also use CircleCI for select internal deployments. In early October, multiple Dropboxers received phishing emails impersonating CircleCI, with the intent of targeting our GitHub accounts (a person can use their GitHub credentials to login to CircleCI).
While our systems automatically quarantined some of these emails, others landed in Dropboxers’ inboxes. These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site. This eventually succeeded, giving the threat actor access to one of our GitHub organizations where they proceeded to copy 130 of our code repositories.
These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team. Importantly, they did not include code for our core apps or infrastructure. Access to those repositories is even more limited and strictly controlled.
On the same day we were informed of the suspicious activity, the threat actor’s access to GitHub was disabled. Our security teams took immediate action to coordinate the rotation of all exposed developer credentials, and determine what customer data—if any—was accessed or stolen. We also reviewed our logs, and found no evidence of successful abuse. To be sure, we hired outside forensic experts to verify our findings, and reported this event to the appropriate regulators and law enforcement.
What we’re doing next
Our security teams work tirelessly to keep Dropbox worthy of our customer's trust. While the information accessed by this threat actor was limited, we hold ourselves to a higher standard. We're sorry we fell short, and apologize for any inconvenience. One way we hope to prevent a similar incident from occurring is by accelerating our adoption of WebAuthn.
Not all types of multi-factor authentication are created equal, and some are more vulnerable to phishing than others. While many organizations still rely on less secure forms of multi-factor authentication—such as push notifications, one-time passwords (OTP), and time-based one-time passwords (TOTP)—WebAuthn is currently the gold standard.
Prior to this incident, we were already in the process of adopting this more phishing-resistant form of multi-factor authentication. Soon, our whole environment will be secured by WebAuthn with hardware tokens or biometric factors. (We also offer WebAuthn to Dropbox customers. Visit our help center to learn how to enable this security measure on your Dropbox account.)
We know it’s impossible for humans to detect every phishing lure. For many people, clicking links and opening attachments is a fundamental part of their job. Even the most skeptical, vigilant professional can fall prey to a carefully crafted message delivered in the right way at the right time. This is precisely why phishing remains so effective—and why technical controls remain the best protection against these kinds of attacks. As threats grow more sophisticated, the more important these controls become.
Remember, if you ever notice suspicious behavior on your Dropbox account, you can report it to us here.