The software business CircleCi, whose products are well-liked among programmers and engineers, acknowledged that a data breach occurred last month that resulted in the theft of some client data. The business stated in a particular blog post on Friday that it had determined the intruder’s first point of entry as a laptop infected with malware and used to log the employee into certain apps, even though the employee’s access was secured with two-factor authentication.
The firm accepted responsibility for the hack, labeling it a “system’s failure” and adding that its antivirus program could not find the malware on the employee’s laptop that was taking tokens. With the aid of session tokens, users may maintain their login status without continuously typing their password or re-authorizing via two-factor authentication. But without the account holder’s password or two-factor code, an attacker may access the same information using a stolen session token. As a result, it may be challenging to tell if a session token belongs to the account owner or was stolen by a hacker.
According to CircleCi, the loss of the session token lets the hackers use the employee’s identity to access portions of the business’ production systems, which include client data. “Because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys,” claimed Rob Zuber, the firm’s chief technology officer. Zuber said that the intrusion occurred between December 16 and January 4.
Zuber revealed that while client data was encrypted, hackers also got their hands on the encryption keys required to decrypt customer data. “We encourage customers who have yet to take action to do so in order to prevent unauthorized access to third-party systems and stores,” Zuber added. Some clients have already notified CircleCi of illegal access to their systems, said Zuber.
After warning clients to rotate “any and all secrets” kept on its platform a few days before, out of concern that its customers’ code and other crucial secrets required to access other apps and services had been stolen by hackers, the post-mortem was released. CircleCi personnel who still have access to the company’s production systems, according to Zuber, “have added additional step-up authentication steps and controls,” which should stop a recurrence of the incident. This is probably done by employing hardware security keys.
Although it’s unknown if the two events are connected, the first point of access—the token stealing on an employee’s laptop—resembles how password management company LastPass was attacked, which likewise featured an attacker targeting an employee’s computer. In December, LastPass acknowledged that encrypted password vaults belonging to its users had previously been compromised. LastPass said the thieves gained access to the internal developer environment by compromising an employee’s device and account credentials.