Steal the code… Dropbox | Smart Thinking Solutions

Dropbox has admitted that 130 of its confidential private GitHub repositories were coped by a threat actor. Among the haul were secret APUI codes.

They do reassure users that no user content, usernames or passwords were stolen. Well of course not. That is not the issue. Why bother stealing those when you have the keys to the front door and just pretend to be Dropbox and do what you want.

130 private Dropbox GitHub repos copied after phish attack • The Register

There is a quote; “We believe the risk to customers is minimal,”, but I believe, without having any more information than is in the article, that it is too early to say that.

And how did all this start?

Phishing.

“These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site,” Dropbox’s explanation states.
Simon Sharwood, The Register from Dropbox statement

Is it time for your team to have a refresher course in what to look for when it comes to phishing emails? I have of course assumed you have run such a training course at least once!

Use of Dropbox

At this time there is no indication there will be a breach of user’s information.

However, I think if I was using Dropbox for any highly sensitive information, I would review that use. At the very least I would, if possible, encrypt those files. Passing the encryption key to those users that needed it by messaging not email. That would be a good stop gap step until a full review of Dropbox usage could be carried out. (You are using the “principle of least privilege?)

Are the Dropbox files backed up somewhere else?

Simon Sharwood’s article finishes with another quote from the Dropbox statement, in effect reminding everyone that whatever cyber security steps any organisation takes, they will not be successful 100% of the time.

That is good advice. What are your plans for when the threat actors have that single success against your excellent cyber security defences?

Clive Catton MSc (Cyber Security) – by-line and other articles

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.