CircleCi, a software company popular with developers and software engineers, has confirmed that some customer data has been stolen. data breach last month.
company As mentioned in a detailed blog post On Friday, the intruder’s first access point was identified as a malware-infected employee’s laptop, allowing the employee to log into certain applications even though access was protected by two-factor authentication. A session token that is used to persist could be stolen.
The company took responsibility for the breach, calling it a “system failure,” adding that antivirus software failed to detect token-stealing malware on employee laptops.
Session tokens allow users to stay logged in without having to re-enter their password each time or re-authorize using two-factor authentication. But a stolen session token allows an intruder to gain the same access as the account owner without needing a password or her two-factor code. Therefore, it can be difficult to distinguish between the account owner’s session token and the hacker who stole the token.
CircleCi says the theft of session tokens allowed cybercriminals to impersonate its employees and gain access to some of the company’s production systems that store customer data.
“Because the targeted employee had the power to generate production access tokens as part of his normal job duties, an unauthorized third party could access a subset of our databases and stores, potentially harming our customers. We were able to exfiltrate data such as environment variables, tokens and keys,” said Rob Zuber, the company’s chief technology officer. Zuber said the intruder had access from December 16th until he was on January 4th.
Zuber said the customer data was encrypted, but the cybercriminals also obtained encryption keys that could decrypt the customer data. “We encourage customers who have not yet taken action to prevent unauthorized access to third-party systems and stores,” he added Zuber.
Several customers have already reported unauthorized access to their systems to CircleCi, Zuber said.
Postmortem analysis is done a few days after the company warned customers to rotate “all kinds of secrets” I feared hackers had stolen our customer’s source code and other sensitive information used to access other applications and services.
Zuber said CircleCi employees who retain access to production systems have “added additional step-up authentication procedures and controls.” Using hardware security keys.
The first point of access, the theft of tokens on employee laptops, is similar to how password manager giant LastPass was hacked. This included an intruder targeting employee devices, but it is unclear if the two incidents are related. LastPass announced in his December Customer encrypted password vault Stolen for previous violations. LastPass said intruders breached first Access to employee devices and accountsallows you to infiltrate LastPass’ internal developer environment.