As per the latest blogpost by Dropbox security team, revealed that they were breached on October 13, 2022.
Threat actors used employee login information they had obtained through phishing to log into one of Dropbox’s GitHub accounts, where they stole 130 code projects. When GitHub alerted the organization to suspicious behavior that began the day before the notice was given, on October 14, the company learned that the account had been compromised by the attackers.
In early October, phishing emails pretending to be from CircleCI were sent to many Dropbox employees with the intention of stealing GitHub.
Few of these emails were automatically quarantined by the systems, while others ended up in Dropboxers’ inboxes. Through a fake CircleCI login page, employees were instructed to enter their GitHub username and password before using their hardware authentication key to send a OTP to the malicious website. The threat actor eventually gained access to one of the GitHub groups using this, and they then copied 130 source repositories.
This also gives insights into how they handled the breach and what their next step is.
Our security teams work tirelessly to keep Dropbox worthy of our customer’s trust. While the information accessed by this threat actor was limited, we hold ourselves to a higher standard. One way we hope to prevent a similar incident from occurring is by accelerating our adoption of WebAuthn – a current gold standard and a phishing resistant form of MFA. Soon, our whole environment will be secured by WebAuthn with hardware tokens or biometric factors.