CircleCI says hackers stole customer encryption keys and source code • TechCrunch
CircleCi, a software company whose products are popular with software developers and engineers, has confirmed that some customers’ data was stolen in a cyber attack. data breach last month.
The company said in a detailed blog post on Friday, it identified the intruder’s initial access point as an employee’s laptop that had been compromised by malware, allowing the theft of session tokens used to keep employees sign in to certain apps, even though their access is protected by two-factor authentication.
The company blamed the compromise, calling it a “system error,” adding that its anti-virus software failed to detect the token-stealing malware on the laptop. of employee.
Session tokens allow users to stay logged in without having to re-enter passwords or re-authorize with two-factor authentication each time. But the stolen session token allows the intruder to have the same access as the account holder without their password or two-factor code. As a result, it can be difficult to distinguish between the account owner’s session token or the hacker who stole the token.
CircleCi says session token theft allows cybercriminals to impersonate employees and gain access to some of the company’s production systems, where customer data is stored.
“Since the targeted employee has the privilege of generating production access tokens as part of the employee’s routine duties, unauthorized third parties can access and extract data from a subset of database and store, including customer environment variables, tokens, and keys,” said Rob Zuber, the company’s chief technology officer. Zuber said the intruders had access between December 16 and January 4.
Zuber says that while customer data is encrypted, cybercriminals also obtain encryption keys that can decrypt customer data. Zuber adds: “We encourage customers who have not taken action to do so to prevent unauthorized access to third-party systems and stores.
Zuber said some customers have notified CircleCi of unauthorized access to their systems.
The autopsy took place a few days after the company warn customers to rotate “any and all confidential” hosted in its platform, fearing that hackers had stolen customer source code and other sensitive secrets used to gain access to other apps and services.
Zuber says that CircleCi employees who keep access to production systems “have added enhanced validation and control steps,” which should prevent repeat problems, possibly by use hardware security key.
The initial access point — which steals tokens on employees’ laptops — has some similarities to how password management giant LastPass was hacked, also involving intruders targeting focused on employee equipment, although it is not known whether the two incidents are related. LastPass confirmed in December that it Client’s encrypted password vault was stolen in a previous breach. LastPass says the original intruders compromised access to employee accounts and devicesallowing them to break into LastPass’ internal developer environment.