GitHub Source Code Repositories

File hosting service Dropbox on Tuesday disclosed that it was the victim of a phishing campaign that allowed unidentified threat actors to gain unauthorized access to 130 of its source code repositories on GitHub.

"These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team," the company revealed in an advisory.

The breach resulted in the access of some API keys used by Dropbox developers as well as "a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors."


It, however, stressed that the repositories did not contain source code related to its core apps or infrastructure.

Dropbox, which offers cloud storage, data backup, and document signing services, among others, has over 17.37 million paying users and 700 million registered users as of August 2022.

The disclosure comes more than a month after both GitHub and CircleCI warned of phishing attacks designed to steal GitHub credentials through fake notifications purporting to be from the CI/CD platform.

The San Francisco-based firm noted that "multiple Dropboxers received phishing emails impersonating CircleCI" in early October, some of which slipped through its automated spam filters to land in employees' email inboxes.

"These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site," Dropbox explained.


The company did not reveal how many of its employees fell for the phishing attack, but said it took prompt action to rotate all exposed developer credentials and that it alerted law enforcement authorities.

It also said it found no evidence that any customer data was stolen as a result of the incident, adding it's upgrading its two-factor authentication systems to support hardware security keys for phishing resistance.

"Even the most skeptical, vigilant professional can fall prey to a carefully crafted message delivered in the right way at the right time," the company concluded. "This is precisely why phishing remains so effective."

The Dropbox notification also comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published guidance to implement phishing-resistant multi-factor authentication (MFA) to safeguard against phishing and other known cyber threats.

"If an organization using mobile push-notification-based MFA is unable to implement phishing-resistant MFA, CISA recommends using number matching to mitigate MFA fatigue," the agency said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.