Dropbox has disclosed a security breach after threat actors stole 130 code repositories from one of its GitHub accounts using employee credentials stolen in a phishing attack.
The company said that no content, passwords, or payment information was accessed, and the issue was quickly resolved. The company discovered the attackers breached the account on October 14 when GitHub notified it of suspicious activity that started one day before the alert was sent.
Upon discovery of the incident, security teams took "immediate action" to coordinate the rotation of all exposed developer credentials and determine what customer data, if any, had been accessed or stolen.
"To date, our investigation has found that the code accessed by this threat actor contained some credentials—primarily, API keys—used by Dropbox developers," Dropbox revealed on Tuesday.
The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors, Dropbox says, noting the company has more than 700 million registered users.
The company also revealed that its core apps and infrastructure were unaffected, as access to this type of code is more limited and strictly controlled.
"Because we take our commitment to security, privacy, and transparency seriously, we have notified those affected and are sharing more here," Dropbox said. The company hired outside forensic experts to verify its findings and reported the incident to appropriate law enforcement and regulators.
Nick Rago, Field CTO at Salt Security, says the Dropbox security breach "serves as a good reminder for organizations to scan their source code repositories to look for any credentials stored in plain text (API keys, passwords, etc.) that a threat actor could potentially use if they were to gain access to the repository."
Dr. Eric Cole, Advisory Board Member at Theon Technology, says there are several red flags raised in reading the details of the disclosure. "Why was Dropbox/GitHub targeted, and what was the attacker after? Attackers do not break into an organization with no goal or objective. Dropbox is making this sound like it was just a casual attack and no real damage happened, but very rarely is that true. Either the attacker did indeed compromise sensitive data, and it was not discovered yet, or information was taken that can be used for extortion or ransom payments. In summary, stay tuned; what was initially reported and what will be reported over the next several weeks is going to most likely change dramatically."