A breach on a Dropbox GitHub account resulted in the loss of several thousand names and email information. The hackers employed a well-known phishing method.
Dropbox and its users have received bad news: hackers obtained a few thousand names and email addresses belonging to workers, present and past customers, prospects, and suppliers.
All of this information was saved on a GitHub account that was compromised. The hackers utilised a phishing tactic and targeted multiple Dropbox workers to do this. They pretended to be the CircleCI integration and distribution platform and referred employees to a bogus website that requested their GitHub username and password.
Employees were also prompted to use their hardware authentication key to transmit a one-time password (OTP).
Example of the phishing mail © Bleeping Computer
This gave the hackers access to GitHub and allowed them to hijack 130 code repositories. Dropbox was aware of suspicious activities on October 14 when GitHub notified the firm. After further research, it was discovered that the code contained credentials such as names and email addresses, as well as API keys used by developers.
Dropbox, however, wants to be reassuring and told our colleagues at Bleeping Computer:
“It is important to note that the stolen repositories did not include code for our applications or core infrastructure. Access to these repositories is even more limited and strictly controlled.”
According to the organisation, the hackers had no access to user accounts, passwords, or payment information. However, email addresses can be exploited to launch fresh phishing attempts. Furthermore, Dropbox did not disclose whether the hackers could use the stolen API keys.
It should be recalled that GitHub was the target of a similar attack in September. The CircleCI platform was also impersonated in that assault. To continue using the service, users were required to log in to their GitHub accounts and accept new terms of service. Furthermore, the hackers used VPN and proxy services to make it more difficult to track them down.