A bad actor gained access to code repositories in the Dropbox phishing attack that caused a data breach at the file storage company.
On October 14, an attacker posed as a legitimate company called CircleCI to steal login information for their use.
Through the hack, the attacker accessed some of the code stored on Dropbox’s servers, which included API keys used by its development team.
Dropbox discovered the hack when GitHub notified them of suspicious activity on their account. The attacker had accessed and copied some of Dropbox’s source codes unrelated to its core applications or infrastructure.
Dropbox Issued A Statement On The Situation
In a statement, Dropbox assured its users that the threat actors didn’t gain unauthorized entry into any of its systems, including its customer databases. Instead, the hackers were able to obtain a few thousand names and email addresses from people associated with Dropbox, including some current and former employees, current and past customers, sales leads, and vendors. The firm says the potential impact to these individuals is “minimal,” but they’ve reached out to everyone impacted by the hack.
GitHub has recently been hit by a similar phishing attack involving a malicious actor pretending to be CircleCI to gain access to various GitHub accounts.
The phishing website used by the attacker sent the user one-off passwords in real-life seconds, allowing him to get into their account. Accounts protected by two-step verification weren’t affected by this attack.
An attacker gained unauthorized entry into one or more accounts and downloaded sensitive files from them.
What Was Exposed In The Dropbox Phishing Attack
It added that there were no indications that any customer records had been compromised due to the incident but that it would implement additional two-step verification measures to protect against future attacks.
Even though professionals usually know better than to be fooled by emails claiming to come from their bank, they can still fall for them if they’re sent well enough.
As part of its efforts to protect consumers from online fraud, the United States cybersecurity agency has released guidelines for implementing phish-resistance MFA.
If an organization that uses mobile push notifications for multi-factor authentication (MFA) cannot implement phish-proof MFA, CISO recommends phone verification to prevent MFA fatigue.