Dropbox confirms 130 of its GitHub repositories were stolen in a phishing campaign

Updated on: 02 November 2022

Anna Zhadan
Contributor

Dropbox, a file hosting service owned by the American company Dropbox, Inc., revealed that threat actors successfully targeted and accessed 130 of its GitHub repositories via a phishing attack.

The attack took place on October 13, 2022, when crooks posed as the code integration and delivery platform CircleCI to access one of Dropbox’s GitHub accounts. Dropbox uses these to host public and some private repositories. Just about two months ago, GitHub already warned that its users were receiving phishing emails impersonating CircleCI.

Threat actors now again posed as CircleCI in phishing emails sent to multiple Dropbox employees, requesting them to visit a fake CircleCI login page, enter their GitHub credentials, and provide a one-time password to the site.

“While our systems automatically quarantined some of these emails, others landed in Dropboxers’ inboxes,” Dropbox’s team explains.

As a result, cybercriminals successfully accessed one of Dropbox’s GitHub organizations and copied 130 of its code repositories. These stored modified copies of third-party libraries, internal prototypes, and some security tools and configuration files.

According to the security team’s press release, the incident did not affect its core infrastructure, as well as content, passwords, or payment information of Dropbox users.

“We believe the risk to customers is minimal,” Dropbox’s team says.

However, cybercriminals did manage to access certain credentials – primarily API keys used by Dropbox developers. Its code included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors.

Following the attack, Dropbox’s team hired forensic experts to confirm whether their findings and analysis were indeed true.