The 2022 phishing breach: 130 internal GitHub repositories stolen
November 2022
A phishing campaign impersonating the CI provider CircleCI tricked Dropbox employees into handing over credentials and 2FA codes, letting attackers copy 130 of Dropbox's private source-code repositories.
What happened
In October 2022 Dropbox employees received phishing emails impersonating CircleCI, a continuous-integration platform Dropbox used. The emails led to a convincing fake login page that harvested both GitHub credentials and one-time two-factor authentication codes. Using the stolen credentials, the attacker accessed one of Dropbox's GitHub organizations and copied 130 internal source-code repositories.
Dropbox said the stolen repositories included copies of third-party libraries, internal prototypes, and some tools and configuration files used by its security team, and contained some credentials — primarily for API keys used by Dropbox developers. It stated the repositories did not contain the source code of its core apps or infrastructure, and that no customer content, passwords, or payment information was accessed.
Impact
The breach demonstrated that even 2FA-protected accounts can fall to real-time phishing, and it exposed internal code and developer secrets. It prompted Dropbox to accelerate a move to phishing-resistant, hardware-based WebAuthn/FIDO2 authentication across the organization, and became a frequently cited example of CI/CD-targeted supply-chain phishing.