Anatomy of a Breach

Anatomy of a Breach: Dropbox — Phishing Attack Exposes 130 Source Code Repositories

> series: anatomy_of_a_breach —— part: 167 —— target: dropbox —— repos: 130 —— method: circleci_phishing —— stolen: source_code_api_keys<span class="cursor-blink">_</span>_

Hedgehog Security 30 November 2022 11 min read
dropbox phishing source-code github circleci developer-credentials ci-cd series
Breach #167

A fake CircleCI login page. One employee's credentials. 130 source code repositories.

In November 2022, Dropbox disclosed that a phishing attack had compromised an employee's GitHub credentials by impersonating CircleCI — a CI/CD platform that Dropbox uses in its development pipeline. The employee received a convincing email appearing to come from CircleCI, clicked the link, and entered their GitHub username, password, and hardware authentication key on a fake login page. The attacker used the stolen credentials to access 130 of Dropbox's private GitHub repositories.

The compromised repositories contained copies of third-party libraries modified for Dropbox's use, internal prototypes, configuration files, and some data used by the security team — including employee names, email addresses, and a small number of customer email addresses. API keys were also exposed. Dropbox confirmed that no customer content, passwords, or payment information was accessed. The attack was part of a broader phishing campaign impersonating CircleCI that targeted multiple organisations — exploiting the trust developers place in their CI/CD pipeline tools.

Developer Tool Phishing
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Impersonating the tools developers trust. The new phishing frontier.

CI/CD Pipeline as Phishing Lure
The attackers impersonated CircleCI — a tool developers interact with daily and trust implicitly. Phishing that targets developer tools (GitHub, CircleCI, Jenkins, GitLab) exploits the trust relationship between developers and their build pipeline. Our <a href="/penetration-testing/social-engineering">social engineering assessments</a> include developer-targeted phishing scenarios.
Hardware Key Captured by Phishing Page
The employee entered their hardware authentication key response on the phishing page — demonstrating that even hardware-backed MFA can be captured through sophisticated real-time phishing (the phishing page relays the MFA challenge in real-time). Only FIDO2/WebAuthn-based authentication — which cryptographically verifies the domain — resists this relay attack. <a href="/cyber-essentials">Cyber Essentials Danzell</a> addresses phishing-resistant MFA.
Source Code Exposure — Again
Dropbox joined <a href="/blog/anatomy-of-a-breach-twitch">Twitch</a> (2021), <a href="/blog/anatomy-of-a-breach-lapsus">Microsoft/Samsung (Lapsus$)</a> (2022), and <a href="/blog/anatomy-of-a-breach-nhs-advanced-lastpass">LastPass</a> (2022) in suffering source code exposure — a growing trend as attackers target developer infrastructure. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses source code repository security.
Domain-Bound MFA Is Essential
The Dropbox breach proved that MFA methods vulnerable to real-time phishing relay (including TOTP and hardware OTP) can be bypassed. Only domain-bound authentication (FIDO2 passkeys, WebAuthn) provides true phishing resistance — the authentication is cryptographically bound to the legitimate domain and cannot be relayed. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for anomalous repository access patterns.
Lessons

Developer tools are phishing targets. FIDO2 is the only answer.

The Dropbox breach demonstrated that developer-targeted phishing — impersonating trusted CI/CD tools — can bypass even hardware-backed MFA through real-time relay attacks. The only MFA method that fully resists this attack is FIDO2/WebAuthn, which cryptographically binds authentication to the legitimate domain. Cyber Essentials Danzell addresses phishing-resistant MFA. Our social engineering testing includes developer-targeted phishing. Infrastructure testing assesses source code repository security. SOC in a Box monitors for anomalous code repository access. And UK Cyber Defence provides incident response when developer infrastructure is compromised.

Developer Security

A fake CircleCI page captured Dropbox developer credentials — including hardware MFA. Is your dev pipeline secured?

<a href="/penetration-testing/social-engineering">Social engineering testing</a> targets developers. <a href="/cyber-essentials">Cyber Essentials</a> addresses phishing-resistant MFA. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> secures code repositories.

Commission a Security Assessment Next: 2022 Year in Review
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 October 2021

Anatomy of a Breach: Twitch — The Entire Source Code, Streamer Earnings, and Internal Tools Leaked in a 128GB Torrent

Breach #154. On 6 October 2021, an anonymous user posted a 128GB torrent to 4chan containing Twitch's entire source code repository, internal tools, an unreleased Steam competitor, proprietary SDKs, and — most headline-grabbing — the complete earnings data for Twitch's top streamers, revealing that top creators earned millions of dollars annually. The leaker described Twitch's community as 'a disgusting toxic cesspool' and stated the leak was intended to 'foster more disruption and competition.' Twitch attributed the breach to a server misconfiguration.

data-breach twitch
12 min read
Anatomy of a Breach 31 March 2020

Anatomy of a Breach: COVID-19 — The Pandemic That Expanded the Global Attack Surface Overnight

Breach #135. In March 2020, the COVID-19 pandemic triggered the largest, fastest expansion of the global attack surface in cybersecurity history. Within weeks, millions of workers worldwide transitioned to remote working — connecting to corporate networks from home via hastily deployed VPNs, using personal devices, relying on video conferencing platforms, and accessing cloud services without the network controls of the office. Phishing campaigns exploiting COVID-19 fear surged by 667%. RDP exposure increased by 127%. VPN vulnerabilities became critical overnight. The pandemic did not create new vulnerability classes — it massively amplified every existing one.

covid-19 remote-working
14 min read
Anatomy of a Breach 30 April 2015

Anatomy of a Breach: GitHub and China's Great Cannon — When a Nation Weaponised Its Own Internet Users

Breach #076. In March 2015, GitHub was hit by a massive, sustained DDoS attack lasting five days. The attack specifically targeted two GitHub repositories hosting anti-censorship tools used by Chinese citizens. Researchers at Citizen Lab identified the source: a previously unknown offensive capability they dubbed the 'Great Cannon' — a tool built alongside China's Great Firewall that intercepted web traffic from millions of Chinese internet users and weaponised it, redirecting their browsers to flood GitHub with requests. China had turned its own citizens into an unwitting DDoS botnet.

ddos github
12 min read
All Posts Get in Touch