CircleCI Takes the Blame for the Stolen Encryption Keys and Customer’s Secrets

CircleCI, a software company popular among software engineers and developers, confirmed that the last month’s data breach resulted in stolen customer data.

The company published a detailed blog post about the incident on Friday, explaining that it discovered the malicious actors’ entry point as an employee’s laptop compromised with malware.

The malware allowed the theft of session tokens, used to keep the employee logged in to particular applications, even though a two-factor authentication security measure protected their access.

Taking the blame for the compromise, CircleCI called it a “systems failure,” saying that its antivirus software failed to detect the malware behind the token theft on the employee’s laptop.

According to the company’s chief technology officer, the hackers had access to customer data from December 16th through to January

Session tokens allow a user to remain logged in without the need to re-enter their password or re-authorize using two-factor authentication every time they need to log back in.

Once stolen by a cybercriminal, these session tokens give the malicious actor complete access to the account as if they were the account holder, without needing their two-factor authentication code or password.

This makes it difficult to distinguish between a legitimate session token of the account owner and one stolen by a cybercriminal.

In its blog post, CircleCI explains that the theft of the session token allowed the hackers to impersonate its employee and gain access to customer data stored in the company’s production systems.

According to Rob Zuber, the company’s chief technology officer, the hackers had access to customer data from December 16th through January 4th,

Because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys

Zuber warned that the hackers also obtained the encryption keys needed to decrypt the customer data, and he instructed the customers who have yet to take action to do so to prevent unauthorized access to stores and third-party systems.

He added that several customers have already informed CircleCI of unauthorized access to their systems.

The incident report comes just days after the company, suspecting that hackers had stolen its customers’ sensitive secrets, used for access to other services and applications, instructed their customers to rotate “any and all secrets” stored in CircleCI.

CircleCI employees with access to the production systems “have added additional step-up authentication steps and controls,” according to Zuber, which should prevent the incident from repeating, possibly by using hardware security modules.

Though it’s unknown if the incidents are connected, the way the hackers gained access to an employee’s laptop resembles the data breach of the password manager giant LastPass, which also involved a malicious actor targeting an employee’s device.

After the controversial security breach, LastPass said the hackers broke into the company’s internal development environment via a compromised employee’s device and account access.

Read More Software News:

TikTok is Testing a New ‘Sleep Reminder’ Feature

Norton LifeLock Suffers Breach that Affects Over 6,000 Customers

Is Elon Musk Deliberately Killing Off Popular Third-Party Twitter Clients?