CircleCi, a software company whose products are popular with developers and software engineers, has confirmed that some of its customers’ data was stolen in an attack. data breach last month.
company In a detailed blog post it says On Friday, it determined that the intruder’s initial point of access was an employee’s laptop, which had been compromised with malware that allowed the theft of session tokens used to keep employees logged into certain applications, even if their access was protected by two-factor identities. Verified protection.
The company took responsibility for the compromise, calling it a “system failure,” adding that its antivirus software failed to detect the token-stealing malware on employee laptops.
Session tokens allow users to stay logged in without having to re-enter their passwords or re-authorize each time using two-factor authentication. But stolen session tokens allow intruders to gain the same access as account holders without their passwords or two-factor codes. Therefore, it may be difficult to distinguish between the account owner’s session token or a hacker who stole the token.
Once the session token was stolen, cybercriminals could impersonate the employee and gain access to some of the company’s production systems where customer data is stored, CircleCi said.
“Because the targeted employees had the authority to generate production access tokens as part of the employees’ day-to-day duties, unauthorized third parties were able to access and exfiltrate data from a subset of the database and store, including customer environment variables, tokens, and keys,” Rob Zuber, the company’s chief technology officer, said. Zuber said the intruders had access between December 16 and January 4.
Zuber said that while customer data was being encrypted, cybercriminals also obtained encryption keys capable of decrypting customer data. “We encourage customers who have not already done so to prevent unauthorized access to third-party systems and stores,” Zuber added.
Several customers have notified CircleCi of unauthorized access to their systems, Zuber said.
The autopsy was performed days after the company Warn clients to rotate “any and all secrets” stored on its platform, fearing that hackers have stolen its customers’ codes and other sensitive secrets used to access other apps and services.
CircleCi employees who retain access to production systems “have added additional upgrade certification steps and controls,” Zuber said, which should prevent repeat incidents, possibly by Use a hardware security key.
The initial point of access — the token theft on employee laptops — is somewhat similar to the way password manager giant LastPass was hacked, which also involved an intruder targeting employee devices, though it’s unclear whether the two Whether the events are related. LastPass confirmed its Client’s encrypted password library Stolen in an earlier breach. LastPass says intruders initially compromised Employee device and account accessallowing them to break into LastPass’ internal development environment.
Updated title to better reflect captured customer data.