Dropbox’s MFA (Multifactor Authentication) Failed!

HealthInfoSecurity.com reported to “Add DropBox to the list of tech companies experiencing a multifactor fail moment. The file storage and sharing company acknowledged Tuesday that employees fell for a well-crafted phishing campaign that gave hackers access to internal code repositories and some personally identifying information.”  The November 3, 2022 report entitled “Dropbox Data Breach Another Multifactor Fail” (https://tinyurl.com/yc543es2) included these comments:

 Hackers did not obtain access to the contents DropBox cloud storage accounts, users' passwords or their payment information, the San Francisco, Calif.-based company said. The publicly-traded company reports 700 million registered users, of which about 17 million are paying customers.

 Hackers instead found and copied 130 DropBox code repositories stored on GitHub, the company says. Inside the repositories were "our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team." Not included was code for core apps or infrastructure, which DropBox says are controlled by tighter levels of security.

 There was some personal data in the repositories. "The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors," the company said. DropBox says it notified affected individuals despite believing that "any risk to them is minimal."

 Is anyone surprised?