Full Report
Dropbox disclosed a security breach where attackers stole 130 code repositories from one of its GitHub accounts by using credentials obtained from phishing Dropbox employees. The breach was discovered on October 14, following a GitHub alert. Attackers impersonated CircleCI in ...
Analysis Summary
# Incident Report: Dropbox GitHub Repository Theft via Phishing
## Executive Summary
Dropbox experienced a security breach stemming from a targeted phishing campaign that compromised employee credentials, leading to the exfiltration of 130 internal code repositories from a GitHub account. The incident was identified on October 14, 2022, following an alert from GitHub. The impact was limited to internal developer tools and configuration files, with no customer data being exposed. Dropbox responded by immediately invalidating compromised credentials and reviewing access controls.
## Incident Details
- **Discovery Date:** October 14, 2022
- **Incident Date:** Prior to October 14, 2022 (Exact start unknown, but phishing campaign preceded discovery)
- **Affected Organization:** Dropbox
- **Sector:** Technology/Cloud Services
- **Geography:** Not specified (Implied Global operations)
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-October 14, 2022
- **Vector:** Credential harvesting via sophisticated phishing.
- **Details:** Attackers impersonated CircleCI in phishing emails sent to Dropbox employees, tricking them into entering their GitHub credentials. Crucially, the attackers were also successfully able to bypass hardware security key usage for OTPs, suggesting the phishing setup also harvested the legitimate hardware-based MFA token or tricked the user into entering it immediately after the password.
### Lateral Movement
- **Details:** Not explicitly detailed in the source, but movement likely involved using the compromised GitHub credentials to access repositories associated with the targeted account.
### Data Exfiltration/Impact
- **Date/Time:** Post-access, Pre-October 14, 2022
- **Details:** Attackers exfiltrated approximately 130 private code repositories from a Dropbox GitHub account. These repositories contained API keys, internal tools, and configuration files.
### Detection & Response
- **Date/Time:** October 14, 2022
- **Details:** The incident was discovered following an alert received from GitHub. Dropbox immediately began incident response procedures, including credential rotation and access revocation on affected systems.
## Attack Methodology
- **Initial Access:** Phishing (Impersonation of CircleCI).
- **Persistence:** Not specified, but likely maintained via valid credentials until discovery.
- **Privilege Escalation:** Not explicitly detailed, but access was gained to sensitive development resources.
- **Defense Evasion:** Not specified.
- **Credential Access:** Credential harvesting via phishing, combined with obtaining a valid Hardware Security Key OTP during token entry.
- **Discovery:** Not specified.
- **Lateral Movement:** Movement within the scope of the compromised GitHub organizational account.
- **Collection:** Targeting and downloading source code repositories.
- **Exfiltration:** Exfiltrating the 130 repository archives/clones.
- **Impact:** Theft of internal source code, API keys, and configuration files.
## Impact Assessment
- **Financial:** Costs related to incident response and remediation (Not quantified in source).
- **Data Breach:** Theft of 130 private code repositories containing internal tools, configuration files, and API keys. **No customer data, accounts, passwords, or payment information were exposed.**
- **Operational:** Minor disruption to development workflow due to credential updates and repository access review.
- **Reputational:** Public disclosure of a significant internal security lapse.
## Indicators of Compromise
*Note: No specific technical IOCs (IPs, hashes) were provided in the source material.*
- **Behavioral indicators:** Unusual login activity or bulk cloning operations from the targeted GitHub account immediately preceding October 14, 2022.
## Response Actions
- **Containment measures:** Immediately invalidating the compromised GitHub credentials used by the employee(s).
- **Eradication steps:** Reviewing the contents of the stolen repositories to identify and neutralize any exposed secrets (e.g., API keys).
- **Recovery actions:** Rotating affected API keys and configuration secrets, and reviewing security controls around the authentication process.
## Lessons Learned
- A highly convincing phishing attempt successfully bypassed MFA/hardware key protection (by capturing the OTP).
- Reliance on single-factor credential entry through a third-party domain (even a trusted CI/CD platform like CircleCI) remains a high risk if users are not vigilant.
- The scope of the breach confirms that source code repositories must be treated as highly sensitive assets.
## Recommendations
- Implement stronger phishing simulation training emphasizing the threat of C2 phishing that captures MFA tokens.
- Review and potentially enforce mandatory WebAuthn/FIDO2 adoption across all sensitive services, ensuring phishing infrastructure cannot simulate the challenge/response necessary for hardware keys.
- Implement rate limiting or anomalous activity detection on GitHub for bulk repository cloning.
- Rotate all exposed secrets (API keys, internal identifiers) identified within the contents of the compromised repositories immediately.