Dropbox has suffered a security breach after threat actors stole 130 code repositories after gaining access to one of its GitHub accounts using employee credentials stolen in a phishing attack.
The company discovered the attackers breached the account on October 14 when GitHub notified it of suspicious activity that started one day before the alert was sent.
“To date, our investigation has found that the code accessed by this threat actor contained some credentials—primarily, API keys—used by Dropbox developers,” Dropbox revealed on Tuesday.
Avoiding clever phishing emails is becoming more difficult to achieve with the increasing tactics used by threat actors. Sophisticated techniques which manipulate staff to sites is distinctly becoming more impressive and those targeted are often none the wiser once they are compromised. Software countermeasures are helpful but unfortunately do not always work in protecting users from overriding any warnings. Continual and impromptu staff awareness is still thought to be one of the best defences in these type of campaigns which show no sign of slowing down.
Far too often employees fall victim to phishing attacks, placing sensitive company assets at risk of malicious threats. The important piece to recognize in this case is that systems and processes were in place to detect symptoms of a breach and allowed the afflicted organization to jump right on their investigation and notify all of those affected.
With the rise of remote work, it has become challenging for organizations to implement perimeter security systems. Often, they are attempting to determine how to safeguard employees while they are no longer physically present in the office. These types of attacks serve as a constant reminder that our identity is now the perimeter of our organization. By increasing the adoption of zero trust practices, businesses can ensure the validation of all users, limit the applications each user is entitled to, and capture a full audit trail for forensic and compliance needs.
This recent data breach is evidence that even simple attack techniques like phishing are capable of impacting a company as large and sophisticated as Dropbox. Threat actors were able to gain access and quickly move through stealing both credentials and code repositories. Incidents like this reflect the urgent need for companies to improve their security posture and adopt zero trust to prevent and mitigate incidents.
Dropbox, like its other storage peers, is a super aggregator of data. This makes them an attractive target for hackers, and it also puts the onus on Dropbox to make itself harder to break than would otherwise be expected. So even if they do security better, they have to do it a lot better than a normal company of their size and revenue to avoid being a victim.In time, we’ll learn which companies did security right and were motivated before, during and after a breach by the right motives and goals. Transparency is always a good thing here, and acting quickly, having a plan, learning from lessons, taking accountability and facing hard truths. But time will tell. And there is always a lesson to be learned from every iteration of an incident response plan and process. Anyone can suffer an infrastructure breach, and everyone can learn from each other how to get more resilient and avoid information breaches.
It seems from the outside looking in that Dropbox knows their own weaknesses and have plans they are accelerating to improve identity security and strengthen authentication and authorization. My advice is to keep going, look for single points of failure, be as transparent as you can post incident, as for external advisors post incident even if it’s under NDA, update risk assessments, get those lessons learned, continue to act with customers and partners in mind first and foremost. History will see you as a hero or a villain, never a victim, so make decisions to be the hero.
Dropbox and all public and private sector organizations should carry a post breach mindset with them on a daily basis with the assumption that motivated and well-funded hackers will be successful in the initial breach attempts. What happens next is critical because as Defenders we should be threat hunting around the clock to root out potential malicious activity before material losses occur.
As MFA adoption increases in popularity, we see criminals adapt their methods to bypass MFA controls by tricking the users in increasingly sophisticated ways. This is why phishing resistant MFA is strongly advised so that social engineering attcks have less likelihood of succeeding. From a technology perspective, this principle of phishing resistant applies beyond MFA and to any system or process a human interacts with. Ultimately though, social engineering is about tricking people, and so, we cannot overlook the importance of timely and appropriate user awareness and training to help them understand the threats that are present, how to identify them, and how to report any suspicious activity.