Dropbox Breach - The Latest in a Series of Credential Attacks

Don't Be the Next Headline.
Download the free ebook and see proven strategies to prevent a data breach from real-world examples.
Graphic of the scanning app

Well known file storage and sharing service Dropbox recently disclosed a security incident in which they were breached.  Dropbox is the most recent to reveal an attack vector similar to ones we have reported on previously with the Medibank and GTA6 breaches.

What do these breaches have in common?  All three breaches started as a phishing campaign where the attacker gained initial access via stolen user credentials.

This recent breach has a slight twist in how the users were targeted.

So let's break down exactly what happened, and how you can protect yourself from similar breaches.

Terminology

Before we dive into the details of the Dropbox leak, let's talk about a few concepts to add some clarity to what happened:

CI/CD

First, CI/CD or Continuous Integration / Continuous Delivery (often referred to as CI/CD pipeline).  This is a development concept where frequent small code changes are made in an effort to drive continuous improvement to software.  This is a frequently used modern approach instead of the more traditional approach which involves several months of code changes completing in a single update delivered to customers.  In the modern web-based environment this approach is used with most platforms.

DevOps

The CI/CD pipeline is often referred to in the context of DevOps which is the concept of integrating Development and Operations teams (hence DevOps).  DevOps teams are usually created to help speed the process of taking updated code, getting it tested and deployed in an automated fashion.  Many modern organization use these concepts especially with their Cloud computing platforms.  Similarly, DevOps can also be used in the context of utilizing code to manage infrastructure in the Cloud.

Code Repositories

Finally, lets talk about GitHub and CircleCI briefly.  Most people in the IT community are aware of GitHub as the most commonly used platform used for storage of software code.  It is a repository where teams can work together to develop applications with capabilities to help with version control and integration of multiple branches of code simultaneously.  CircleCI is a platform developers can use to build their CI/CD pipelines which also relies heavily on GitHub.

What happened?

Ok let's get to the meat of what happened.  On November 1st, 2022, Dropbox posted an article on their Security Team Blog providing more details about what happened.  In their article they reference how earlier this year GitHub posted their own article detailing a phishing campaign targeting users of CircleCI.  In GitHub's article there is much more detail about how this attack takes place and the steps involved.

Dropbox discovered that a very similar campaign targeted their employees in early October.  In their case, GitHub alerted Dropbox to suspicious activity in their repositories on October 14th, 2022.  One important thing to note here is that while Dropbox security systems did quarantine most of the phishing emails before making it to users, some of those emails did make it through their filters.

The emails which made it through were designed to be legitimate-looking emails instructing users to visit a fake CircleCI login page.  Once at the login page, the page requested the users GitHub credentials and One Time Password (OTP).  Eventually, these phishing attempts succeeded giving the threat actor access to one of GitHub's organizations which contained 130 repositories.

The code repositories impacted included Dropbox copies of third-party libraries they had modified.  They also contained internal prototypes and some tools and configuration files used by the security team.  Dropbox makes an important note here that the source code for their core applications, or any customer accounts were NOT compromised.

It is important to note, however, that Dropbox also indicated there was some API keys used by developers compromised which were used by developers, although there is no clarity on what those API keys were used for in their article.  They also indicate that "a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors" were part of the security breach.  Dropbox did indicate they have notified impacted parties, but there is little clarity as to why sales leads or customer data including names and email addresses were stored in these otherwise innocuous GitHub repositories.

How can you protect yourself?

Email Filtering and User Training

Phishing attempts have become the norm as we have seen in the recent string of successful attacks against quite an extensive list of companies.  So it is important to have the two early forms of security: email filtering and user training - specifically training on phishing emails.  Implementing these two controls will go a long way towards reducing risk of a successful phishing attack.

Physical Authentication Device

However, we are all human and humans make mistakes so it's important to understand this alone is not enough to prevent a breach.  As Dropbox indicated in their article, implementation of a more secure authentication mechanism utilizing FIDO2 (or WebAuthn) helps make the types of modern phishing attacks much less likely to be successful.  In other words, having a mechanism that relies on a physical device will help prevent attackers from being successful when attempting to gain access and steal passwords.

Scanning Repositories for Sensitive Information

Finally, one thing Dropbox fails to mention in their article is that storage of sensitive data like API keys and customer contact information in a code repository is something which could have been handled to prevent sensitive data leakage.  Periodic scanning of code repositories using a tool like Soteri’ Security Scanning for Bitbucket, Soteri’s Security Scanning for Bitbucket or using Soteri's Scanning via REST API would have prevented those API credentials and customer data from being left in a repository where it should not have been.