Security News
Dropbox has said it was successfully phished, resulting in someone copying 130 of its private GitHub code repositories and swiping some of its secret API credentials. GitHub let Dropbox know the next day, and the cloud storage outfit investigated.
Dropbox disclosed a security breach after threat actors stole 130 code repositories after gaining access to one of its GitHub accounts using employee credentials stolen in a phishing attack. "To date, our investigation has found that the code accessed by this threat actor contained some credentials-primarily, API keys-used by Dropbox developers," Dropbox revealed on Tuesday.
Cloud-based repository hosting service GitHub has addressed a high-severity security flaw that could have been exploited to create malicious repositories and mount supply chain attacks. The RepoJacking technique, disclosed by Checkmarx, entails a bypass of a protection mechanism called popular repository namespace retirement, which aims to prevent developers from pulling unsafe repositories with the same name.
A stealthy cryptocurrency mining operation has been spotted using thousands of free accounts on GitHub, Heroku and other DevOps outfits to craft digital tokens. Sysdig estimated each of those 30 free GitHub accounts cost the Microsoft-owned giant $15 per month, and the free tier accounts from Heroku, Buddy and others cost providers between $7 and $10 per month.
Researchers at the Leiden Institute of Advanced Computer Science found thousands of repositories on GitHub that offer fake proof-of-concept exploits for various vulnerabilities, some of them including malware. GitHub is one of the largest code hosting platforms, and researchers use it to publish PoC exploits to help the security community verify fixes for vulnerabilities or determine the impact and scope of a flaw.
Toyota has admitted it put 296,019 email addresses and customer management numbers of folks who signed up for its T-Connect assistance website at risk of online theft by bungling its security. Once Toyota looked at that source code, the manufacturing giant realized this public-facing code repository contained an access key to a server that stored customer data.
Toyota Motor Corporation is warning that customers' personal information may have been exposed after an access key was publicly available on GitHub for almost five years. Toyota discovered recently that a portion of the T-Connect site source code was mistakenly published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers.
Scammers are impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits for newly discovered Microsoft Exchange zero-day vulnerabilities. Last week, Vietnamese cybersecurity firm GTSC disclosed that some of their customers had been attacked using two new zero-day vulnerabilities in Microsoft Exchange.
GitHub has put out an advisory detailing what may be an ongoing phishing campaign targeting its users to steal credentials and two-factor authentication codes by impersonating the CircleCI DevOps platform. The fraudulent messages claim to notify users that their CircleCI sessions have expired and that they should log in using GitHub credentials by clicking on a link.
GitHub is warning of an ongoing phishing campaign that started on September 16 and is targeting its users with emails that impersonate the CircleCI continuous integration and delivery platform. "While GitHub itself was not affected, the campaign has impacted many victim organizations," GitHub informs in an advisory on Wednesday.