Summary

  • Dropbox suffered a data breach after a targeted phishing scam tricked employees into sharing CircleCI credentials.
  • It appears that no sensitive data has been exploited in this incident, though the hackers got away with some names, email addresses and internal prototypes among other things.
  • Cloud DLP and in-app security training prompts  are the best ways to avoid these kinds of data breaches.


It looks like Dropbox has dropped the ball. In a blog post published on November 1st, the company revealed that it had suffered a data breach after a successful phishing lure fooled numerous employees.

Read on to discover how this breach happened, and the critical learnings to apply to your organization. 

Dropbox phishing incident

What’s Dropbox?

For those that aren’t Dropbox fans, where have you been!? Here’s a quick overview of the company. Dropbox is a huge file hosting service, offering customers a cloud-based platform for storage, data backup, and document signing. As of August 2022, the brand  has over 17.37 million paying users and 700 million registered users.

Dropbox data breach demystified  

In its blog post about the breach, Dropbox has given a step-by-step walkthrough of how the incident went down. 

First things first, some background. At Dropbox, employees use their GitHub accounts for accessing private internal code repositories. The GitHub login details also enable access to CircleCI, a continuous integration and delivery platform that links with GitHub.

Enter the hackers in question, who sent out a targeted phishing campaign inersonating CircleCI.

“These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site,” Dropbox shared in its explanation. 

The malicious website then harvested the credentials the employee shared, allowing the malicious actors to then login into a legitimate DropBox GitHub account—and access all the data within it! 

As Dropbox notes, the phishing campaign “eventually succeeded, giving the threat actor access to one of our GitHub organizations where they proceeded to copy 130 of our code repositories.”

GitHub noticed suspicious activity within Dropbox’s account a day later and alerted Dropbox to the suspicious behavior. Dropbox then quickly disabled the malicious actor’s access to the repositories, and started reviewing its logs to check what data had been stolen. 

Luckily for Dropbox, it seems that they got off pretty lightly. They noted that the hackers took “copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team” along with a “few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors.”

If you read the blogpost, you’ll notice that Dropbox appears pretty blasse about the whole thing. This is because it appears that no sensitive data has been exploited in this incident. At the same time, Dropbox noted that it has notified all customers affected by the breach—so check your inbox if you’re a customer!

Lessons learned 

Dropbox wrapped up its blog post by stating that it’s going to upgrade its multi-factor authentication systems to reduce the likelihood of successful phishing attacks. But, as we saw in the Twilio and Uber breaches, multi-factor authentication alone isn’t enough to prevent sophisticated social engineering attacks. 

Dropbox knows this. It even concludes its post saying: “We know it’s impossible for humans to detect every phishing lure. Even the most skeptical, vigilant professional can fall prey to a carefully crafted message delivered in the right way at the right time.”

While we agree to some extent, we think there’s a couple of things companies like Dropbox can do to up their defense against such attacks. 

First things first, creating a culture of security is paramount to effective security. Now, it’s impossible for employees to proactively scrutinize every single email or message they receive for signs of phishing. However, it is possible to put solutions in place that nudge users towards security-conscious decisions. 

Next-generation security education solutions, like Polymer Data Loss Prevention (DLP), offer in-app prompts that help users make secure choices, preventing them from sharing sensitive data or clicking on malicious links. 

Another thing—just a few weeks before this attack took place, GitHub actually shared a warning about phishing campaigns impersonating CircleCI, but the warning clearly went unnoticed at Dropbox. In this instance, a little more communication and strategy around security awareness would’ve gone a long way.

Finally, in cases where hackers do manage to break into GitHub or other apps through a successful phishing attack, deploying cloud-based DLP like Polymer DLP is paramount.

These solutions prevent attackers from sharing, downloading or deleting sensitive information, even if they’ve managed to compromise a legitimate employee account. Using behavior analytics and automation, these solutions analyze user interactions with sensitive data in real-time, ensuring that only verified, authentic users access sensitive company data. 

Polymer is a no-code data loss prevention (DLP) platform that allows companies to monitor, auto-remediate, and apply behavioral techniques to reduce the risk of insider threats, sensitive data misuse, and leakage over third-party SaaS apps. Try Polymer for free.

SHARE

Get Polymer blog posts delivered to your inbox.