CircleCi, a software company whose products are popular with developers and software engineers, confirmed that some customers’ data was stolen in a data breach last month.
Company said in a detailed blog post on Friday it identified the intruder’s first entry point as an employee’s laptop compromised with malware, enabling the theft of session tokens used to keep the employee logged in to certain applications, even though their access was secured with two-factor authentication.
The company took the blame, calling it a “system bug,” adding that the antivirus software failed to detect the token-stealing malware on the employee’s laptop.
Session tokens allow a user to remain logged in without having to re-enter their password each time or reauthorize using two-factor authentication. But with a stolen session token, an intruder can gain the same access as the account holder without needing their password or two-factor code. As such, it can be difficult to differentiate between a session token belonging to the account owner or a hacker who stole the token.
CircleCi said the theft of the session token enabled the cybercriminals to impersonate the employee and gain access to some of the company’s production systems, which store customer data.
Because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and extract data from a subset of databases and stores, including environment variables, tokens and keys belonging to the customer. ” said Rob Zuber, the company’s chief technology officer. Zuber said the intruders had access from December 16 to January 4.
Zuber said that while the customer data was encrypted, the cybercriminals also obtained the encryption keys that allowed the customer data to be decrypted. “We encourage customers who have not yet taken action to do so to prevent unauthorized access to third-party systems and stores,” added Zuber.
Several customers have already notified CircleCi of unauthorized access to their systems, Zuber said.
The post-mortem comes days after the company warned customers to rotate “all secrets” stored on its platform, fearing that hackers may have stolen its customers’ source code and other sensitive secrets used to access other applications and services. stolen.
Zuber said CircleCi employees who maintain access to production systems have “added additional step-by-step authentication steps and checks” that should prevent a repeat incident, likely through hardware security keys.
The first point of entry – stealing tokens on an employee’s laptop – bears some resemblance to how password manager giant LastPass was hacked, which also involved an intruder targeting an employee’s device, though it’s not known if the two incidents are related. LastPass confirmed in December that its customers’ encrypted password vaults had been stolen in a previous breach. LastPass said the intruders initially compromised an employee’s device and account access, allowing them to break into LastPass’ internal developer environment.
