Dropbox has admitted that 130 of its confidential private GitHub repositories were coped by a threat actor. Among the haul were secret APUI codes.
They do reassure users that no user content, usernames or passwords were stolen. Well of course not. That is not the issue. Why bother stealing those when you have the keys to the front door and just pretend to be Dropbox and do what you want.
130 private Dropbox GitHub repos copied after phish attack • The Register
There is a quote; “We believe the risk to customers is minimal,”, but I believe, without having any more information than is in the article, that it is too early to say that.
And how did all this start?
Phishing.
“These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site,” Dropbox’s explanation states.
Simon Sharwood, The Register from Dropbox statement
Is it time for your team to have a refresher course in what to look for when it comes to phishing emails? I have of course assumed you have run such a training course at least once!
Use of Dropbox
At this time there is no indication there will be a breach of user’s information.
However, I think if I was using Dropbox for any highly sensitive information, I would review that use. At the very least I would, if possible, encrypt those files. Passing the encryption key to those users that needed it by messaging not email. That would be a good stop gap step until a full review of Dropbox usage could be carried out. (You are using the “principle of least privilege?)
Are the Dropbox files backed up somewhere else?
Simon Sharwood’s article finishes with another quote from the Dropbox statement, in effect reminding everyone that whatever cyber security steps any organisation takes, they will not be successful 100% of the time.
That is good advice. What are your plans for when the threat actors have that single success against your excellent cyber security defences?
Clive Catton MSc (Cyber Security) – by-line and other articles