A hacker managed to steal 130 repositories stored in GitHub. Dropbox announced the security breach and stated that it was due to a phishing attack where employee credentials were stolen.
The hackers successfully breached the account on October 14th, when GitHub notified Dropbox of suspicious activity a day before the alert was sent, according to Bleeping Computer.
Dropbox's Report
Dropbox stated that phishing lures are now harder to detect since people are now flooded with messages and notifications. Hackers have also changed their tactics, wherein not only do they harvest usernames and passwords but multi-factor authentication codes as well.
However, the file-hosting service said that the hacker did not access anyone's Dropbox account, password, or payment information. Their investigation found that the code that was accessed contained some credentials.
One example is API keys, which are used by Dropbox developers. It also includes a few thousand names and email addresses of Dropbox employees, current and past customers, sales leads, and vendors. This is among the 700 million registered users for context.
Dropbox uses CircleCI for some internal deployments. Since users can log in to CircleCI using GitHub accounts, hackers used this for the phishing attack. Although the system quarantines emails that involve these attacks, some managed to reach the inbox of some Dropbox accounts. Similar attacks were done around mid-September, which has been reported by GitHub as well.
GitHub's Report
Hackers conducted the attacks by pretending to be CircleCI, a code integration and delivery platform, back on September 16. Users would see a message saying that their session has expired and would be required to log in using GitHub credentials.
Upon clicking the link, the user will be redirected to a phishing site that looks similar to a GitHub login page, wherein credentials would be stolen. The false GitHub site will also ask for a TOTP-based two-factor authentication (2FA) in real-time, which allows the hacker to access accounts protected by TOTP-based 2FA.
According to a GitHub blog, the hackers use the following tactics:
-
Once the hackers have stolen the GitHub credentials of the target, they could create GitHub personal access tokens (PATs), authorize OAuth applications, or add SSH keys to the account. This allows the hacker to access the account even if the password has been changed.
-
The hacker may download private repository contents accessible to the victim, which includes contents owned by organization accounts.
-
If the targeted account has organization management permissions, the hacker may create a new GitHub user account and add it to an organization. This way, they will have continuous access.
The blog also released known phishing domains as of September 27, 2022:
-
circle-ci[.]com
-
emails-circleci[.]com
-
circle-cl[.]com
-
email-circleci[.]com
-
links-circleci[.]com
Read Also: Cookie Stealing: How are Hackers Bypassing Two-Factor Authentication Using Cookies?
How Dropbox Aims to Resolve This
They plan on preventing more incidents like this by adopting WebAuthn. Dropbox claims that this method is the "gold standard," as opposed to push notifications, one-time passwords, and time-based one-time passwords.
The company stated that soon enough, their whole environment will have WebAuthn with hardware tokens and biometric factors for security. This security measure is available to Dropbox customers as well.
To do this, sign in to Dropbox, click your avatar, and click on Settings. After that, go to the Security tab, and toggle Two-Step verification to On. Once you re-enter your password, you can choose to receive your security code via text message or mobile app.
Related: 6 Must-Take Steps to Protect Yourself from a Data Breach
