Cybersecurity No, Dropbox ‘Hacker’ Hasn’t Stolen Passwords Or Data Of 700 Million Users Davey Winder Senior Contributor Opinions expressed by Forbes Contributors are their own. Co-founder, Straight Talking Cyber Following New! Follow this author to stay notified about their latest stories. Got it! Nov 2, 2022, 07:05am EDT | New! Click on the conversation bubble to join the conversation Got it! Share to Facebook Share to Twitter Share to Linkedin Dropbox confirms breach of some GitHub hosted code repositories SOPA Images/LightRocket via Getty Images As news breaks of Dropbox apparently falling victim to hackers in October, here’s what actually happened.
The hugely popular Dropbox file-hosting service has been hacked. Or, at least, you could be forgiven for thinking that, given the story that is currently starting to break following a November 1 posting by the Dropbox security team . That Dropbox security team posting confirms that a threat actor did, indeed, get access to some Dropbox source code.
However, this code was contained within 130 GitHub code repositories. MORE FROM FORBES Former U. K.
Prime Minister Liz Truss’ Phone Allegedly Hacked By Kremlin Spies: Report By Davey Winder How did a threat actor breach Dropbox’s GitHub code repository security? Like many organizations, Dropbox uses GitHub to host several private repositories. At the start of October, the Dropbox security team became aware of a phishing campaign apparently targeting staff. The phishing email purported to originate from the code integration and delivery platform, CircleCI; a company used by Dropbox for specific internal code deployments.
“While our systems automatically quarantined some of these emails, others landed in Dropboxers’ inboxes,” the report says. These used a realistic-looking template directing the recipients to what appeared to be a CircleCI login page where they were directed to enter GitHub account credentials. Although protected by a second authentication factor, in this case, a hardware authentication system to generate a one-time password, the threat actor was able to eventually succeed in using both to access “one of our GitHub organizations where they proceeded to copy 130 of our code repositories,” the security team confirms.
On October 14, GitHub alerted Dropbox to suspicious behavior beginning the previous day. The threat access was disabled the same day and Dropbox security teams “took immediate action to coordinate the rotation of all exposed developer credentials and determine what customer data, if any, was accessed or stolen. ” MORE FOR YOU $100M Magic: Why Bruno Mars And Other Stars Are Ditching Their Managers Russian Military Leaders Reportedly Discussed When And How Moscow Would Use Nuclear Weapons In Ukraine Climate Tech Startup Helps Disaster Recovery With Mobile Renewable Energy Grid Dropbox also brought in external forensic teams to verify the investigation findings, reporting the incident to law enforcement and the relevant regulators.
MORE FROM FORBES Emergency Chrome Security Update As Google Confirms Another 0Day Exploit By Davey Winder What Dropbox data was accessed? So, what did the threat actor get access to? The Dropbox security team says that “these repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team. Importantly, they did not include code for our core apps or infrastructure. Access to those repositories is even more limited and strictly controlled.
” Importantly, it is confirmed that at no time did the threat actor have access to anyone’s Dropbox account, passwords or payment information. “Our investigation has found that the code accessed by this threat actor contained some credentials, primarily API keys, used by Dropbox developers. The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors,” the statement says.
By way of context, Dropbox has more than 700 million registered users. Those whose email details may have been accessed have been informed by Dropbox already. Follow me on Twitter or LinkedIn .
Check out my website or some of my other work here . Davey Winder Editorial Standards Print Reprints & Permissions.
From: forbes
URL: https://www.forbes.com/sites/daveywinder/2022/11/02/no-dropbox-hacker-hasnt-stolen-passwords-or-data-of-700-million-users/