Unauthorized access to CircleCI leads to customer data theft, impacts third-party tokens

CircleCI, a software development continuous integration (CI) & continuous delivery (CD) service, has announced the results of a security incident investigation that occurred in December 2022. The trigger for the intrusion was that an employee's laptop was infected with malware, and since this employee was an engineer with the authority to create access tokens to the production environment, the intruder accessed the production environment and stole information. It is said that it led to doing

CircleCI incident report for January 4, 2023 security incident

Compromise of employee device, credentials led to CircleCI breach | SC Media
https://www.scmagazine.com/analysis/breach/compromise-of-employee-device-credentials-led-to-circleci-breach

CircleCI's hack caused by malware stealing engineer's 2FA-backed session
https://www.bleepingcomputer.com/news/security/circlecis-hack-caused-by-malware-stealing-engineers-2fa-backed-session/

CircleCI says hackers stole encryption keys and customers' secrets | TechCrunch
https://techcrunch.com/2023/01/14/circleci-hackers-stole-customer-source-code/

The security incident in which CircleCI announced its findings was reported to have occurred on January 4, 2023, and the investigation found that the intrusion dates back to at least December 16, 2022.

The trigger for the intrusion was a malware infection on an employee's laptop. As a result, the SSO session cookie supported by two-factor authentication was stolen, so the attacker gained access without being prompted for two-factor authentication or password input.

According to CircleCI CTO Rob Zuber, the targeted employee had access token generation privileges for the production environment, and the attackers began unauthorized access to CircleCI's database and store from December 22, 2022. and stole some customer data.

CircleCI modifies all tokens associated with customers, including project API tokens, personal API tokens, and GitHub OAuth tokens, and also works with Atlassian and AWS to remove potentially compromised Bitbucket and AWS tokens from customers. was notified to.

Fewer than five customers reported unauthorized access to third-party systems after CircleCI took action.