Hackers get into Dropbox developer accounts on GitHub, access 130 code repositories and more

Online storage giant Dropbox announced this week that a phishing campaign targeting its developers was successful, allowing hackers to gain access to the company’s GitHub accounts.

In a statement on Tuesday, Dropbox said the hackers were able to copy 130 code repositories and gain access to credentials as well as information on Dropbox employees, current and past customers, sales leads, and vendors.

“These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team. Importantly, they did not include code for our core apps or infrastructure. Access to those repositories is even more limited and strictly controlled,” Dropbox said. 

Dropbox said it has notified any users affected by the incident and explained that they were first alerted to the issue on October 14 when GitHub told them they were seeing “suspicious behavior that began the previous day.”

Dropbox traced the issue back to CircleCI — a platform used by developers for a variety of purposes. Dropbox developers can use their GitHub credentials to login to CircleCI. 

In early October, Dropbox said its employees received phishing emails impersonating CircleCI. The emails took employees to a fake CircleCI login page where the hackers obtained usernames, passwords and hardware authentication keys.

“At no point did this threat actor have access to the contents of anyone’s Dropbox account, their password, or their payment information. To date, our investigation has found that the code accessed by this threat actor contained some credentials—primarily, API keys—used by Dropbox developers,” the company said. 

Outside forensic experts were hired to help with the investigation and the hacker’s access to the GitHub accounts was disabled the day they were informed of the issue. Dropbox noted that regulators and law enforcement were notified of the issue. 

The company said it is rolling out several new security measures to better protect their developers. 

Nick Rago, field CTO at Salt Security, told The Record that it is unclear from the incident notification what the stolen API keys were used for, what systems they connected to and the extent of the data and functional access the threat actor would have with those API keys. 

“Static API keys and other important credentials used by app developers should be secured in some manner and not stored in plain text as part of any ‘at rest’ application source code,” he said. 

Other experts said the statement from Dropbox was vague because “130 repositories” could contain large amounts of information. 

Keeper Security CTO Craig Lurey noted that this incident is representative of a larger issue many companies have: managing IT secrets.

Hardcoded credentials – user IDs and passwords written directly into source code – are notoriously insecure, yet maddeningly common, Lurey explained, noting that they’re seen in industrial control systems used to run manufacturing lines, utilities, and critical infrastructure, as well as major software companies and all manner of IoT devices.

Theon Technology’s Eric Cole said the attack was curious because of how targeted it was — rarely do hackers target a company in this way without a specific goal in mind. 

“Dropbox is making this sound like it was just a casual attack and no real damage happened, but very rarely is that true,” he said.   

Either the attacker did indeed compromise sensitive data and it was not discovered yet or information was taken that can be used for extortion or ransom payments.”