CircleCi, a software company whose products are popular among software developers and engineers, confirmed that some customer data was stolen in a data breach last month.
The company said in a detailed blog post on Friday that it identified the intruder’s initial access point as an employee’s laptop that was compromised with malware, allowing the theft of session tokens used to keep the employee logged in to certain applications, despite their access it was protected with two-factor authentication.
The company took the blame for the compromise, calling it a “system failure,” adding that its antivirus software was unable to detect the token-stealing malware on the employee’s laptop.
Session tokens allow a user to stay logged in without having to re-enter their password or re-authorize the use of two-factor authentication each time. But a stolen session token allows an attacker to gain the same access as the account holder without needing their password or two-factor code. As such, it can be difficult to tell the difference between a session token from the account owner or a hacker who stole the token.
CircleCi said the theft of the session token allowed cybercriminals to impersonate the employee and gain access to some of the company’s production systems, which store customer data.
“Because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and extract data from a subset of databases and stores, including environment variables of the client, tokens and keys”. said Rob Zuber, the company’s chief technology officer. Zuber said the intruders had access from December 16 to January 4.
Zuber said that while the customer data was encrypted, the cybercriminals also obtained the encryption keys capable of decrypting the customer data. “We encourage customers who have not yet taken steps to do so to prevent unauthorized access to third-party systems and stores,” Zuber added.
Several customers have already reported unauthorized access to their systems to CircleCi, Zuber said.
The post-mortem comes days after the company warned clients to rotate “any and all secrets” stored on its platform, fearing hackers had stolen its clients’ source code and other sensitive secrets used to access other applications and services.
Zuber said that CircleCi employees who retain access to production systems “have added additional authentication steps and controls,” which should prevent a repeat of the incident, likely through the use of hardware security keys.
The initial access point, the theft of tokens on an employee’s laptop, looks a bit like how password manager giant LastPass was hacked, which also involved an intruder targeting an employee’s device, though not it is known if the two incidents are linked. LastPass confirmed in December that its customers’ encrypted password vaults were stolen in a previous breach. LastPass said the hackers had initially compromised an employee’s device and account access, allowing them to break into LastPass’ internal development environment.
