/i/2004753100.png?fit=%2C&ssl=1 "Hackers Steal Dropbox Prototypes and Security Tools During a Phishing Attack – Computer – News")
Hackers gained access to a Dropbox GitHub account via a phishing attack. As a result, the criminals knew, among other things, changed third party libraries, steal internal prototypes and security tools. The data of thousands of users was also stolen.
In the attack, the criminals gained access to the names and email addresses of thousands of current and former customers, employees, prospects and suppliers. Relatively speaking, there is according to Dropbox Little personal data was stolen, as the platform is said to have 700 million users. The files that users store or share with Dropbox were not stolen during the attack. Not even passwords or payment details were stolen. Those affected have now been notified.
Additionally, the attackers gained access to API keys from Dropbox developers and one hundred and thirty coderepository. This concerns, among other things, your own copies of third party libraries which have been slightly modified by Dropbox, internal prototypes and “some tools and configuration files used by the security team”. The code for the core apps or core infrastructure was not stolen, the company points out.
The criminals gained access by sending phishing emails to multiple Dropbox employees in October. In those emails, the criminals pretended to be CircleCI, a code integration– in delivery-platform. Users can log into CircleCI with their GitHub credentials; that’s why hackers pretended to be this platform. Some of the phishing emails were automatically blocked by Dropbox systems, but some reached employee inboxes.
These emails are linked to an external website that mimics the CircleCI website. Here employees had to log in with their GitHub credentials and their physical authentication key a unique password to pass. The criminals used this data to log into one of Dropbox’s GitHub organizations and steal the data.
Dropbox claims to have reported the attack to relevant authorities and verified their findings with forensic experts. The platform wants to accelerate the transition to WebAuthn and hopes to limit vulnerability to phishing attacks.
