Dropbox Accelerates Adoption of WebAuthn in Response to Phishing Attack

Dropbox Inc., the San Francisco-based file syncing, sharing, online backup and cloud storage provider confirmed it was the target of a phishing campaign that accessed some of the code that the company store’s in GitHub. According to the company, no user’s content, passwords, or payment information was accessed. The company’s core apps and infrastructure were also unaffected.

Phishing lures are becoming harder to detect, with many being inundated with messages and notifications. In today’s threat landscape, threat actors have moved beyond harvesting usernames and passwords, to harvesting multi-factor authentication codes, as such in Dropbox’s case.

In September, GitHub detailed one such phishing campaign, in which a threat actor accessed GitHub accounts by impersonating the code integration and delivery platform CircleCI. Dropbox was targeted by a similar campaign. On October 14, 2022, GitHub alerted Dropbox to some suspicious behavior that began the previous day. Upon further investigation, the company found that a threat actor—also pretending to be CircleCI—accessed one of their GitHub accounts, too.

The company says at no point did the threat actor have access to the contents of anyone’s Dropbox account, password or their payment information.

Dropbox’s investigation found that the code accessed by this threat actor contained some credentials—primarily, API keys—used by Dropbox developers. The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads and vendors.

Dropbox uses GitHub to host its public and some of its private repositories, as well as CircleCI for internal deployments. In early October, multiple Dropboxers received phishing emails impersonating CircleCI, with the intent of targeting Dropbox’s GitHub accounts (a person can use their GitHub credentials to login to CircleCI).

While Dropbox’s systems automatically quarantined some of the emails, others landed in Dropboxers’ inboxes. These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site. This eventually succeeded, giving the threat actor access to one of Dropbox’s GitHub organizations where they proceeded to copy 130 of the company’s code repositories.

On the same day, Dropbox says it was informed of the suspicious activity; the threat actor’s access to GitHub was disabled. The Dropbox security teams took immediate action to coordinate the rotation of all exposed developer credentials, and determine what customer data—if any—was accessed or stolen. The company reviewed its logs, and found no evidence of successful abuse. To be sure, the company says it hired an outside forensic experts to verify the findings, and reported the event to the appropriate regulators and law enforcement.

“Our security teams work tirelessly to keep Dropbox worthy of our customer’s trust. While the information accessed by this threat actor was limited, we hold ourselves to a higher standard. We’re sorry we fell short, and apologize for any inconvenience,” said Dropbox in a blog post.

The company hopes to prevent a similar incident from occurring by accelerating adoption of WebAuthn.

Listen: My TechDecisions Podcast Episode 177: MFA is Not Created Equal

Not all types of multi-factor authentication are created equal, and some are more vulnerable to phishing than others. While many organizations still rely on less secure forms of multi-factor authentication—such as push notifications, one-time passwords (OTP), and time-based one-time passwords (TOTP)—WebAuthn is currently the gold standard.

Prior to the incident, Dropbox says it was already in the process of adopting this more phishing-resistant form of multi-factor authentication. The company hopes that its whole environment will be secured by WebAuthn with hardware tokens or biometric factors. WebAuthn is available to Dropbox customers.

“We know it’s impossible for humans to detect every phishing lure. For many people, clicking links and opening attachments is a fundamental part of their job. Even the most skeptical, vigilant professional can fall prey to a carefully crafted message delivered in the right way at the right time. This is precisely why phishing remains so effective—and why technical controls remain the best protection against these kinds of attacks. As threats grow more sophisticated, the more important these controls become,” said Dropbox in a statement.