Dropbox ‘Hacker’ Hasn’t Stolen Passwords Or Data Of 700 Million Users

No, Dropbox ‘Hacker’ Hasn’t Stolen Passwords Or Data Of 700 Million Users
Davey WinderSenior Contributor
Co-founder, Straight Talking Cyber
New!
Follow this author to stay notified about their latest stories.
Got it!
Nov 2, 2022,07:05am EDT
Dropbox logo seen on smartphone, background of blurred code....
Dropbox confirms breach of some GitHub hosted code repositoriesSOPA IMAGES/LIGHTROCKET VIA GETTY IMAGES
As news breaks of Dropbox apparently falling victim to hackers in October, here's what actually happened.

The hugely popular Dropbox file-hosting service has been hacked. Or, at least, you could be forgiven for thinking that, given the story that is currently starting to break following a November 1 posting by the Dropbox security team.

That Dropbox security team posting confirms that a threat actor did, indeed, get access to some Dropbox source code. However, this code was contained within 130 GitHub code repositories.

MORE FROM FORBES
Former U.K. Prime Minister Liz Truss' Phone Allegedly Hacked By Kremlin Spies: Report
By Davey Winder
How did a threat actor breach Dropbox's GitHub code repository security?
Like many organizations, Dropbox uses GitHub to host several private repositories. At the start of October, the Dropbox security team became aware of a phishing campaign apparently targeting staff. The phishing email purported to originate from the code integration and delivery platform, CircleCI; a company used by Dropbox for specific internal code deployments. "While our systems automatically quarantined some of these emails, others landed in Dropboxers’ inboxes," the report says.

These used a realistic-looking template directing the recipients to what appeared to be a CircleCI login page where they were directed to enter GitHub account credentials. Although protected by a second authentication factor, in this case, a hardware authentication system to generate a one-time password, the threat actor was able to eventually succeed in using both to access "one of our GitHub organizations where they proceeded to copy 130 of our code repositories," the security team confirms.

On October 14, GitHub alerted Dropbox to suspicious behavior beginning the previous day. The threat access was disabled the same day and Dropbox security teams "took immediate action to coordinate the rotation of all exposed developer credentials and determine what customer data, if any, was accessed or stolen."

MORE FROMFORBES ADVISOR
Best Travel Insurance Companies
ByAmy DaniseEditor
Best Covid-19 Travel Insurance Plans
ByAmy DaniseEditor
Dropbox also brought in external forensic teams to verify the investigation findings, reporting the incident to law enforcement and the relevant regulators.

MORE FROM FORBES
Emergency Chrome Security Update As Google Confirms Another 0Day Exploit
By Davey Winder
What Dropbox data was accessed?
So, what did the threat actor get access to? The Dropbox security team says that "these repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team. Importantly, they did not include code for our core apps or infrastructure. Access to those repositories is even more limited and strictly controlled."

Huawei Mate 50 Pro Review: Variable Aperture Really Works
Importantly, it is confirmed that at no time did the threat actor have access to anyone’s Dropbox account, passwords or payment information. "Our investigation has found that the code accessed by this threat actor contained some credentials, primarily API keys, used by Dropbox developers. The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors," the statement says. By way of context, Dropbox has more than 700 million registered users. Those whose email details may have been accessed have been informed by Dropbox already.