CircleCi, a software company whose products are popular with developers and software engineers, has confirmed that some customers’ data has been stolen. data breach last month.
Company said in a detailed blog post On Friday, the intruder determined that the first access point was a compromised employee’s laptop, which allowed the theft of session tokens used to keep the employee logged in to certain apps, even though their access was protected by two-factor authentication.
The company took the blame for the compromise, describing it as a “system error” and adding that the antivirus was unable to detect the token-stealing malware on the employee’s laptop.
Session tokens allow a user to stay logged in using two-factor authentication each time without having to re-enter their password or reauthorize. However, a stolen session token allows an intruder to gain the same access as the account owner, without the need for a password or two-factor code. Therefore, it can be difficult to distinguish between a session token owned by the account holder and a hacker stealing the token.
CircleCi said the theft of the session token allowed cybercriminals to impersonate the employee and gain access to some of the company’s production systems that store customer data.
“Because the targeted employee had privileges to create production access tokens as part of the employee’s normal duties, the unauthorized third party was able to access and leak data from a subset of database and repository, including customer environment variables, tokens, and keys.” said Rob Zuber, the company’s chief technology officer. Zuber said the intruders had access from December 16 to January 4.
Zuber said that while encrypting customer data, cybercriminals also obtained encryption keys that can decrypt customer data. “We encourage customers who have not yet taken action to prevent unauthorized access to third-party systems and stores,” Zuber said.
Zuber said several customers have notified CircleCi of unauthorized access to their systems.
Autopsy arrives days after company warned customers to return “all secrets” Fearing that hackers stole their clients’ code and other sensitive secrets used to access other apps and services, it stored it on its platform.
Zuber said CircleCi employees who hold access to production systems “added additional authentication steps and checks” that should likely prevent a recurring incident by: using hardware security keys.
The first access point – token stealing on an employee’s laptop – is unknown if the two events are linked, but bears some resemblance to how password manager giant LastPass was hacked, including an intruder targeting an employee’s device. LastPass confirmed in December customers’ encrypted password safes stolen in a previous violation. LastPass says intruders were initially compromised an employee’s device and account accessIt allows them to enter LastPass’ internal developer environment.
Updated the title to better reflect the received customer data.
