Cyber Incident Victim: Dropbox Inc.

On October 14, 2022, Dropbox detected unauthorized access to one of its GitHub accounts following an alert from GitHub regarding suspicious activity that began on October 13. The breach originated from a phishing campaign targeting multiple Dropbox employees, where threat actors impersonated the CircleCI continuous integration platform via email. These phishing emails redirected employees to a fraudulent landing page designed to harvest GitHub credentials. Employees were prompted to enter their GitHub usernames and passwords and were further instructed to use hardware authentication keys to provide a One-Time Password (OTP). After obtaining valid credentials, attackers accessed Dropbox’s GitHub organization and exfiltrated 130 code repositories. The stolen repositories contained modified third-party libraries, internal prototypes, security team tools, and configuration files. Notably, core Dropbox application and infrastructure code remained unaffected. The compromised repositories also held API keys used by developers and approximately thousands of names and email addresses belonging to employees, current and former customers, sales leads, and vendors.

Dropbox initiated an investigation upon discovery, confirming the attackers leveraged stolen credentials to infiltrate GitHub. The company disclosed the breach publicly on November 1, 2022, clarifying that no customer passwords, payment information, or core services were compromised. Immediate response actions included collaboration with GitHub to assess the scope and revoke exposed API keys. Dropbox emphasized transitioning its entire environment to WebAuthn authentication, requiring hardware security keys or biometric factors for access. The incident highlighted risks associated with phishing attacks targeting secondary development platforms and spurred internal reviews of credential management practices. No additional breaches or downstream exploitation of stolen data were reported by Dropbox following containment efforts.