• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Project of the Week
  • About Us
    SEARCH
Compliance, IT Infrastructure, Network Security

Dropbox Accelerates Adoption of WebAuthn in Response to Phishing Attack

Dropbox plans to move toward WebAuthn, in wake of a phishing campaign that accessed some of the code that the company store's in GitHub.

November 4, 2022 TD Staff Leave a Comment

POZNAN, POL - SEP 23, 2020: Laptop computer displaying logo of Dropbox, a file hosting service operated by Dropbox, Inc., headquartered in San Francisco, California
monticellllo/stock.adobe.com

Dropbox Inc., the San Francisco-based file syncing, sharing, online backup and cloud storage provider confirmed it was the target of a phishing campaign that accessed some of the code that the company store’s in GitHub. According to the company, no user’s content, passwords, or payment information was accessed. The company’s core apps and infrastructure were also unaffected.

Phishing lures are becoming harder to detect, with many being inundated with messages and notifications. In today’s threat landscape, threat actors have moved beyond harvesting usernames and passwords, to harvesting multi-factor authentication codes, as such in Dropbox’s case.

In September, GitHub detailed one such phishing campaign, in which a threat actor accessed GitHub accounts by impersonating the code integration and delivery platform CircleCI. Dropbox was targeted by a similar campaign. On October 14, 2022, GitHub alerted Dropbox to some suspicious behavior that began the previous day. Upon further investigation, the company found that a threat actor—also pretending to be CircleCI—accessed one of their GitHub accounts, too.

The company says at no point did the threat actor have access to the contents of anyone’s Dropbox account, password or their payment information.

Dropbox’s investigation found that the code accessed by this threat actor contained some credentials—primarily, API keys—used by Dropbox developers. The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads and vendors.

What happened and Dropbox’s response

Dropbox uses GitHub to host its public and some of its private repositories, as well as CircleCI for internal deployments. In early October, multiple Dropboxers received phishing emails impersonating CircleCI, with the intent of targeting Dropbox’s GitHub accounts (a person can use their GitHub credentials to login to CircleCI).

While Dropbox’s systems automatically quarantined some of the emails, others landed in Dropboxers’ inboxes. These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site. This eventually succeeded, giving the threat actor access to one of Dropbox’s GitHub organizations where they proceeded to copy 130 of the company’s code repositories.

On the same day, Dropbox says it was informed of the suspicious activity; the threat actor’s access to GitHub was disabled. The Dropbox security teams took immediate action to coordinate the rotation of all exposed developer credentials, and determine what customer data—if any—was accessed or stolen. The company reviewed its logs, and found no evidence of successful abuse. To be sure, the company says it hired an outside forensic experts to verify the findings, and reported the event to the appropriate regulators and law enforcement.

What Dropbox is doing next

“Our security teams work tirelessly to keep Dropbox worthy of our customer’s trust. While the information accessed by this threat actor was limited, we hold ourselves to a higher standard. We’re sorry we fell short, and apologize for any inconvenience,” said Dropbox in a blog post.

The company hopes to prevent a similar incident from occurring by accelerating adoption of WebAuthn.

Listen: My TechDecisions Podcast Episode 177: MFA is Not Created Equal

Not all types of multi-factor authentication are created equal, and some are more vulnerable to phishing than others. While many organizations still rely on less secure forms of multi-factor authentication—such as push notifications, one-time passwords (OTP), and time-based one-time passwords (TOTP)—WebAuthn is currently the gold standard.

Prior to the incident, Dropbox says it was already in the process of adopting this more phishing-resistant form of multi-factor authentication. The company hopes that its whole environment will be secured by WebAuthn with hardware tokens or biometric factors. WebAuthn is available to Dropbox customers.

“We know it’s impossible for humans to detect every phishing lure. For many people, clicking links and opening attachments is a fundamental part of their job. Even the most skeptical, vigilant professional can fall prey to a carefully crafted message delivered in the right way at the right time. This is precisely why phishing remains so effective—and why technical controls remain the best protection against these kinds of attacks. As threats grow more sophisticated, the more important these controls become,” said Dropbox in a statement.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Tagged With: Credentials, Dropbox, GitHub, MFA, phishing, phishing campaigns, WebAuthn

Related Content:

  • Cloud, SASE, Aryaka How the Cloud is Redefining Media Production and…
  • Software License Spending, SaaS, cloud apps Your Guide to Choosing the Best Cloud Security…
  • IT Budget 2025 Budgeting Tips for IT Pros/CIOs in 2025
  • A close-up of a technician’s hands typing and navigating through troubleshooting steps on a computer in a well-lit office. , natural light, soft shadows, with copy space Five Ways to Reduce Desktop Support Troubleshooting Time

Free downloadable guide you may like:

  • Practical Design Guide for Office SpacesPractical Design Guide for Office Spaces

    Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-face time with co-workers. When designing the office spaces — and meeting spaces in particular — enabling that connection between co-workers is crucial. But introducing the right collaboration technology in meeting spaces can […]

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Latest Downloads

Practical Design Guide for Office Spaces
Practical Design Guide for Office Spaces

Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-fa...

New Camera Can Transform Your Live Production Workflow
New Camera System Can Transform Your Live Production Workflow

Sony's HXC-FZ90 studio camera system combines flexibility and exceptional image quality with entry-level pricing.

Creating Great User Experience and Ultimate Flexibility with Clickshare

Working and collaborating in any office environment today should be meaningful, as workers today go to office for very specific reasons. When desig...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Contact Us
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSYour Privacy ChoicesTERMS OF USEPRIVACY POLICY

© 2025 Emerald X, LLC. All rights reserved.