Late Monday night, the popular file-hosting site Dropbox announced that it suffered a phishing attack. While no content, passwords or payment information was accessed, the hacker did “successfully access some of the code [they] store in GitHub”.
The company revealed that on October 14, they became aware that an attacker stole employee credentials, using them to access source code containing “primarily, API keys – used by Dropbox developers”. While it’s currently unclear what those API keys were used for, Dropbox has drawn criticism from API experts for not properly securing their assets.
“Static API keys and other important credentials used by app developers should be secured in some manner and not stored in plain text as part of any at rest application source code. Data encryption or leveraging a secure data vault provide two common and more secure alternatives. The Dropbox breach serves as a good reminder for organizations to scan their source code repositories to look for any credentials stored in plain text (API keys, passwords, etc.) that a threat actor could potentially use if they were to gain access to the repository. Additionally, this type of threat illustrates why organizations require runtime API security, which can detect and prevent API abuse if an API key was compromised and used in an API attack,” said Nick Rago, Field CTO at Salt Security, a leading API security provider
Martin Jartelius, Chief Security Officer at Outpost24, pointed out that while Dropbox was fortunate not to lose customer data, it could have been a lot worse. “What we can note here that is positive is that while the user affected had access to repos made available to most developers in ..
Support the originator by clicking the read the rest link below.
