Dropbox Discloses New Breach After Successful Phishing Attack

Customer emails exposed, but not their accounts, passwords or payment info, company says.

Dropbox has disclosed a new security breach that led to threat actors gaining access to thousands of customers’ and others’ email addresses – but not their accounts, passwords, or payment information.

In a blog post, the San Francisco-based file hosting service that’s been criticized in the past over security-related issues, said a successful phishing attack led to the theft of employee credentials, ultimately allowing threat actors to gain access to a GitHub account and steal 130 code repositories.

Dropbox said it was alerted by GitHub on Oct. 14 of “some suspicious behavior” that began the previous day. The company then discovered that a “threat actor—also pretending to be CircleCI—accessed one of our GitHub accounts,” according to the blog post, referring to a similar phishing attack launched in September against GitHub itself.

[RELATED STORY: The 10 Biggest Data Breaches of 2022 (So Far)]

“We were recently the target of a phishing campaign that successfully accessed some of the code we store in GitHub,” Dropbox said in its blog.

“No one’s content, passwords, or payment information was accessed, and the issue was quickly resolved,” the company said. “Our core apps and infrastructure were also unaffected, as access to this code is even more limited and strictly controlled. We believe the risk to customers is minimal. Because we take our commitment to security, privacy, and transparency seriously, we have notified those affected and are sharing more here.”

But Dropbox did acknowledge that its investigation found that the “code accessed by this threat actor contained some credentials—primarily, API keys—used by Dropbox developers.”

And it noted that the “code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors.”

Trying to minimize the scope and severity of the attack, Dropbox added that “for context, Dropbox has more than 700 million registered users.”

It added: “At no point did this threat actor have access to the contents of anyone’s Dropbox account, their password, or their payment information.”

In conclusion, the company said: “We take our commitment to protecting the privacy of our customers, partners, and employees seriously, and while we believe any risk to them is minimal, we have notified those affected.”

Contacted by CRN, a representative for Dropbox referred to the company’s blog post regarding further questions about the breach incident.

While the attack may have been effectively contained, news of a Dropbox breach set off some alarms across the internet, prompting Forbes magazine to shoot down the worst fears. “No, Dropbox ‘Hacker’ Hasn’t Stolen Passwords Or Data Of 700 Million Users,” the headline read on a Forbes piece by Davey Winder.

Still, Dropbox has been the focus of security-related controversies in the past, mostly infamously over the leak of passwords of tens of millions of users.

To this day, Dropbox faces criticism over its overall security.

In its blog post on Tuesday, Dropbox said that prior to the recent phishing attack it was already “in the process” of adopting a “more phishing-resistant form of multi-factor authentication,” specifically WebAuthn.

“Our security teams work tirelessly to keep Dropbox worthy of our customer‘s trust,” the company said.

“While the information accessed by this threat actor was limited, we hold ourselves to a higher standard. We‘re sorry we fell short, and apologize for any inconvenience. One way we hope to prevent a similar incident from occurring is by accelerating our adoption of WebAuthn.”