Dropbox’s Github Hack: What actually happened?

Dropbox's Github Hack: What Actually Happened?

The famous file-sharing platform “Dropbox” revealed that they have been hacked recently as an attacker gained unauthorized access to 130 of their code repositories on GitHub.

Dropbox disclosed on November 1 that they indeed went through a security breach, mentioning an attacker gaining unauthorized access to their code repositories as confirmed but was contained within those repositories.

Dropbox’s security team confirmed that nobody’s content, passwords or payment information was accessed keeping the risk to customers minimal. They added to it that these code repositories did not include their core apps and infrastructure as that stays unaffected under stricter restrictions.

Dropbox’s Github hacked? How it happened

Dropbox as been running an active bug bounty program on BugCrowd and HackerOne(apparently disabled as of October, 2022). As it can be seen, Dropbox has put in a lot to keep their apps and infrastructure secure: with an estimate of over 750 vulnerabilities fixed and a total payout of $1,060,693 on HackerOne for the security vulnerabilities discovered.

Importantly, Dropbox agreed to the fact that threat landscape indeed has evolved over time which is why the considered “best practices” need to be revisited. Dropbox fell victim to a phishing campaign that led the attacker towards the code repositories on GitHub.

They were alerted on October 14, 2022 by GitHub due to the suspicious behavior that was observed. The attacker impersonated CircleCi to access Dropbox’s GitHub account. The phishing attacks consisted of identical CircleCi’s email templates that looked legitimate. The email led them to a CircleCi’s login page that asked for the GitHub login credentials.

They had multifactor authentication enabled for their account through a hardware based authentication that generated a One Time Password(OTP). Interestingly, the attacker succeeded with retrieving the generated One Time Password as well.

Dropbox took a step forward and properly investigated the incident. The investigation revealed that to date the code accessed by the attacker contained the API keys that were used by Dropbox developers. Moreover the code contained a few thousands of names and email addresses of their current and past customers, their developers, sales leads and vendors. The exposure of data is said to be minimal as Dropbox has a userbase of over 700 million registered users.

Dropbox’s next actions

Dropbox revealed the actions that they’re going to take further to avoid such incidents from happening again. They finally realized that all types multifactor authentication are not impactful and effective on the same level, they have to choose what works the best. The believe that there still are organizations that rely on weaker forms of multifactor authentication such as one time passwords(OTP), time-based one time password(TOTP) and push notifications but they believe WebAuthn is the gold standard in the options.

They have started with implementing WebAuthn, a more phishing resistant form of multifactor authentication as said through factors such as hardware tokens and biometric securing their environment.

We already talked about how multifactor authentication as becoming less effective, the Google’s revealed statistics were enough to tell us that the threat landscape has evolved to the point it requires our attention.


Social engineering attacks have been increasingly effective as it can be seen from the recent examples we can see. The changing threat landscape requires us to revisit our idea of implementing “best practices” used for protecting us against such attacks. With the prevention methods that we have been using, the attackers indeed have evolved with their methodologies as well, but this serves as an example that companies like Dropbox do need to invest into training programs effectively securing their employees and not just their digital infrastructure through bug bounty platforms.

Have anything to share? Share it in comments or contact us.

Leave a Reply

Your email address will not be published. Required fields are marked *