back to article Dropbox admits 130 of its private GitHub repos were copied after phishing attack

Dropbox has said it was successfully phished, resulting in someone copying 130 of its private GitHub code repositories and swiping some of its secret API credentials. The cloud storage locker on Tuesday detailed the intrusion, and stated "no one's content, passwords, or payment information was accessed, and the issue was …

  1. Anonymous Coward
    Anonymous Coward

    Drop claims to improve by using 2FA, but according to their earlier statement the fishing worked despite already 2FA (HW token) in place.

    I guess that why they were boxed into concluding that it is inevitable some phishing attacks will succeed.

    Surely improvement is possible.

    (1) "These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site," Dropbox's explanation states.

    (2) The company's write-up said it was already working to combat this sort of incident by upgrading its two-factor authentication systems to WebAuthn multi-factor authentication and will soon use hardware tokens or biometric factors across its entire environment.

  2. R.O.

    The Biggest Cookie Jar Ever!

    The "Cloud" is neither secure nor private no matter what "they" say. It's more like a great big cookie jar in the sky with everybody and his brother dipping in a hand for free data cookies. Meanwhile, stupid corps and gov agencies fill the jar with our deepest secrets and personal data making them extra special tasty. If you want secure and private storage run your own server and have a guy who really knows security keep it going.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like