CircleCi, a software company whose products are popular with developers and software engineers, confirmed that some customers’ data was stolen in a data breach last month.
The company said in a detailed blog post Friday that it identified the intruder’s first entry point as an employee’s laptop compromised with malware, enabling the theft of session tokens used to keep the employee logged in to certain applications, although their access was secured with two-factor authentication.
The company took the blame, calling it a “system bug,” adding that its antivirus software failed to detect the token-stealing malware on the employee’s laptop.
Session tokens allow a user to remain logged in without having to re-enter their password each time or reauthorize using two-factor authentication. But with a stolen session token, an intruder can gain the same access as the account holder without needing their password or two-factor code. As such, it can be difficult to differentiate between a session token belonging to the account owner or a hacker who stole the token.
CircleCi said the session token theft enabled the cybercriminals to impersonate the employee and gain access to some of the company’s production systems, which store customer data.
Because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and extract data from a subset of databases and stores, including environment variables, tokens and keys belonging to the customer. ” said Rob Zuber, the company’s chief technology officer. Zuber said the intruders had access from December 16 to January 4.
Zuber said that while the customer data was encrypted, the cybercriminals also obtained the encryption keys that allowed the customer data to be decrypted. “We encourage customers who have not yet taken action to do so to prevent unauthorized access to third-party systems and stores,” added Zuber.
Several customers have already notified CircleCi of unauthorized access to their systems, Zuber said.
The post-mortem comes days after the company warned customers to rotate “all secrets” stored on its platform, fearing that hackers may have stolen its customers’ source code and other sensitive secrets used to access other applications and services. stolen.
Zuber said CircleCi employees who maintain access to production systems have “added additional step-by-step authentication steps and checks” that should prevent a repeat incident, likely through hardware security keys.
The first point of entry – stealing tokens on an employee’s laptop – bears some resemblance to how password manager giant LastPass was hacked, which also involved an intruder targeting an employee’s device, though it’s not known if the two incidents are related. LastPass, the password manager with approximately 33 million customers, confirmed in December that its customers’ password vaults had been stolen in a previous breach after compromising an employee’s device and account access, allowing the intruder access to LastPass’ internal developer environment.