CircleCi, a software company whose products are popular with developers and software engineers, has confirmed that some customers’ data was stolen in a data breach last month.
In a detailed blog post on Friday, the company said it identified the intruder’s first access point as a malware-infected employee’s laptop. Protected with two-factor authentication.
The company took responsibility for the breach, calling it a “system failure,” adding that antivirus software failed to detect token-stealing malware on employee laptops.
Session tokens allow users to stay logged in without having to re-enter their password each time or re-authorize using two-factor authentication. But a stolen session token allows an intruder to gain the same access as the account owner without needing a password or her two-factor code. Therefore, it can be difficult to distinguish between the account owner’s session token and the hacker who stole the token.
CircleCi says the theft of session tokens allowed cybercriminals to impersonate its employees and gain access to some of the company’s production systems that store customer data.
“Because the targeted employee had the power to generate production access tokens as part of his normal job duties, an unauthorized third party could access a subset of our databases and stores, potentially harming our customers. We were able to exfiltrate data such as environment variables, tokens and keys,” said Rob Zuber, the company’s chief technology officer. Zuber said the intruder had access from December 16th until he was on January 4th.
Zuber said the customer data was encrypted, but the cybercriminals also obtained encryption keys that could decrypt the customer data. “We encourage customers who have not yet taken action to prevent unauthorized access to third-party systems and stores,” he added Zuber.
Several customers have already reported unauthorized access to their systems to CircleCi, Zuber said.
Fearing that hackers may have stolen customer source code and other sensitive information used to access other applications and services, the company urged the company to rotate “any and all secrets” stored on its platform. A few days after alerting the customer, a follow-up investigation was conducted.
According to Zuber, CircleCi employees who retain access to production systems have added “additional step-up authentication procedures and controls to prevent a recurrence of the incident, possibly by using hardware security keys. “apparently.
The first point of access, the theft of tokens on employee laptops, is similar to how password manager giant LastPass was hacked. This included an intruder targeting employee devices, but it is unclear if the two incidents are related. LastPass confirmed in December that a customer’s encrypted password vault had been stolen in a previous breach. According to LastPass, the intruder was initially able to compromise access to employee devices and accounts and penetrate LastPass’ internal developer environment.