top of page
  • Writer's pictureMark van Vuuren

How Hackers Stole 130 Code Repositories from Dropbox

Heimdal Security states:

Dropbox recently announced a data breach that led to the exfiltration of 130 GitHub code repositories. The breach was discovered on October 14, 2022, after GitHub identified some suspicious activity the day before.

The threat actors gained access to one of company’s GitHub accounts after obtaining employee credentials in a successful phishing attack

Details about the Attack

The Dropbox data breach was the consequence of a successful phishing attack that targeted multiple employees. The phishing emails were imitating CircleCI – a code integration and delivery platform – and pointing the targets to a fake landing page.

The victims were then asked to write their GitHub credentials and to “use their hardware authentication key to pass a One Time Password (OTP)”, according to Dropbox’s statement.

The company notified all those affected by the breach, and the appropriate regulators and law enforcement.

GitHub said it detected content exfiltration from private repositories almost immediately after the compromise, with the threat actors using VPN or proxy services to make tracing them more difficult.

Hackers’ access to the GitHub account was suspended on the same day the attack was discovered and outside forensic experts are investigating the incident.

“In response to the incident, Dropbox is working on securing its entire environment using WebAuthn and hardware tokens or biometric factors”, according to BleepingComputer.

What Data Was Exposed

The attackers gained access to one of Dropbox’s GitHub organizations and snatch 130 of its code repositories using the compromised login details.

“These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team,” the company explained.

Data contained by the stolen code included:

  • some credentials—primarily, API keys—used by Dropbox developers

  • a few thousand names and email addresses belonging to Dropbox employees

  • current and past customers

  • sales leads

  • a list of vendors

Importantly, they did not include code for our core apps or infrastructure. Access to those repositories is even more limited and strictly controlled.

Dropbox also stated that the threat actors did not gain access to customers’ accounts, credentials, or credit card details, and that the breach had no impact on its core apps or infrastructure.

12 views0 comments


bottom of page