Storage provider Dropbox disclosed that cybercriminals stole 130 GitHub repositories through an employee’s account. In addition to code, the personal email addresses of employees and customers were captured.

The cybercriminals gained access to the employee’s account through a phishing attack, Dropbox said in a statement. The attack targeted multiple employees.

The authors of the phishing emails posed as the CircleCI CI/CD platform. The emails referred to a fake landing page. Here, employees were asked to input their GitHub login credentials and use a hardware authentication key to provide a One Time Password (OTP).

GitHub struggled with a similar attack last September. Cybercriminals impersonated CircleCI to steal users’ login credentials. The CI/CD platform appears to be a popular disguise for phishers.

Stolen data

Eventually, Dropbox’s attackers gained access to one of the organization’s GitHub environments. There, they managed to steal 130 repositories. The repositories mostly contained code, including copies of third-party libraries adapted to Dropbox. The repositories also hosted internal prototypes, as well as security tools and configuration files.

In addition, the cybercriminals captured the names and e-mail addresses of Dropbox’s employees, customers, sales leads and vendors. According to Dropbox, the cybercriminals did not gain access to payment and customer login data or Dropbox’s own infrastructure and application code.

Dropbox’s measures

Dropbox promises to further improve its data security. The entire Dropbox environment is being revamped with WebAuthn services, physical authentication tokens and biometric login options.

GitHub commented that it detected the attack and data theft almost immediately. The organization noted that cybercriminals were using VPN and/or proxy servers.