Late Monday night, the popular file-hosting site Dropbox announced that it suffered a phishing attack. While no content, passwords or payment information was accessed, the hacker did “successfully access some of the code [they] store in GitHub”.
The company revealed that on October 14, they became aware that an attacker stole employee credentials, using them to access source code containing “primarily, API keys – used by Dropbox developers”. While it’s currently unclear what those API keys were used for, Dropbox has drawn criticism from API experts for not properly securing their assets.
“Static API keys and other important credentials used by app developers should be secured in some manner and not stored in plain text as part of any at rest application source code. Data encryption or leveraging a secure data vault provide two common and more secure alternatives. The Dropbox breach serves as a good reminder for organizations to scan their source code repositories to look for any credentials stored in plain text (API keys, passwords, etc.) that a threat actor could potentially use if they were to gain access to the repository. Additionally, this type of threat illustrates why organizations require runtime API security, which can detect and prevent API abuse if an API key was compromised and used in an API attack,” said Nick Rago, Field CTO at Salt Security, a leading API security provider
Martin Jartelius, Chief Security Officer at Outpost24, pointed out that while Dropbox was fortunate not to lose customer data, it could have been a lot worse. “What we can note here that is positive is that while the user affected had access to repos made available to most developers in the organization, this did not include the core product repositories. The less great part is that both staff and partner personal data were stored in git repositories, hopefully this only relate to contact information relevant to developers, but from the released information this is not entirely clear,” he said,
Other experts have been quick to note that despite phishing being considered a fairly rudimentary attack method, it’s a popular technique among hackers. “While the impression of hackers is usually of technical geniuses using brilliant attack methods and sophisticated tools to skirt defensive measures, the reality is far from it. A majority of cyber incidents, such as this case, are due to preventable human error or simple methods of attack such as stolen credentials or Phishing,” said Erfan Shabadi, cybersecurity expert at comforteAG.
Javvad Malik, lead security awareness advocate at KnowBe4, pointed out that this is an example of threat actors finding new ways to bypass MFA. “As MFA adoption increases in popularity, we see criminals adapt their methods to bypass MFA controls by tricking the users in increasingly sophisticated ways. This is why phishing resistant MFA is strongly advised so that social engineering attacks have less likelihood of succeeding. From a technology perspective, this principle of phishing resistant applies beyond MFA and to any system or process a human interacts with. Ultimately though, social engineering is about tricking people, and so, we cannot overlook the importance of timely and appropriate user awareness and training to help them understand the threats that are present, how to identify them, and how to report any suspicious activity,” he said.
While Dropbox’s security measures have been criticised, the company’s response to the hack has been applauded. “It seems from the outside looking in that Dropbox knows their own weaknesses and have plans they are accelerating to improve identity security and strengthen authentication and authorization. My advice is to keep going, look for single points of failure, be as transparent as you can post incident, as for external advisors post incident even if it’s under NDA, update risk assessments, get those lessons learned, continue to act with customers and partners in mind first and foremost. History will see you as a hero or a villain, never a victim, so make decisions to be the hero,” said Sam Curry, Chief Security Officer at Cybereason.