A threat actor purporting to be CircleCI has accessed a Dropbox GitHub account containing credentials—primarily API keys—used by Dropbox developers. The code and the data around it also include a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads and vendors.
Dropbox, which has more than 700 million registered users, has notified affected users, but believes the attacks may be ongoing. The company maintains that the risk to customers is minimal, and that the hacker did not access the contents of anyone’s Dropbox account, password or payment information. Dropbox began its investigation the day GitHub alerted it to some suspicious behavior that took place on the previous day.
Impact
The Dropbox breach illustrates that threat actors have moved beyond simply harvesting usernames and passwords to also harvesting multi-factor authentication codes. Other examples of this capability include a September hack in which a threat actor accessed GitHub accounts by impersonating the code integration and delivery platform CircleCI. Legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a one-time password (OTP) to the malicious site. In an August example, one-time MFA passcodes were exposed in a cyberattack on Twilio, a cloud communications company.
DXC perspective
Clearly, strong digital identity policies are more important than ever. Consider implementing two-factor authentication with a security key (WebAuthn) or hardware security keys, and using a browser-integrated password manager to autofill passwords for familiar websites. If the password manager doesn’t recognize the website, it might be a phishing site. In addition, avoid entering credentials on a phishing site by confirming URLs in the address bar. In this case the URL should be “https://github.com/login” and the site’s Transport Layer Security (TLS) certificate should be issued to GitHub, Inc.