CircleCI says hackers stole encryption keys and customers' source code

Zack Whittaker
·3 min read

CircleCi, a software company whose products are popular with developers and software engineers, confirmed that some customers' data was stolen in a data breach last month.

The company said in a detailed blog post on Friday that it identified the intruder's initial point of access as an employee's laptop that was compromised with malware, allowing the theft of session tokens used to keep the employee logged in to certain applications, even though their access was protected with two-factor authentication.

The company took the blame for the compromise, calling it a "systems failure," adding that its antivirus software failed to detect the token-stealing malware on the employee's laptop.

Session tokens allow a user to stay logged in without having to keep re-entering their password or re-authorizing using two-factor authentication each time. But a stolen session token allows an intruder to gain the same access as the account holder without needing their password or two-factor code. As such, it can be difficult to differentiate between a session token of the account owner, or a hacker who stole the token.

CircleCi said the theft of the session token allowed the cybercriminals to impersonate the employee and gain access to some of the company's production systems, which store customer data.

"Because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys," said Rob Zuber, the company's chief technology officer. Zuber said the intruders had access from December 16 through January 4.

Zuber said that while customer data was encrypted, the cybercriminals also obtained the encryption keys able to decrypt customer data. "We encourage customers who have yet to take action to do so in order to prevent unauthorized access to third-party systems and stores," Zuber added.

Several customers have already informed CircleCi of unauthorized access to their systems, Zuber said.

The post-mortem comes days after the company warned customers to rotate "any and all secrets" stored in its platform, fearing that hackers had stolen its customers' source code and other sensitive secrets used for access to other applications and services.

Zuber said that CircleCi employees who retain access to production systems "have added additional step-up authentication steps and controls," which should prevent a repeat-incident, likely by way of using hardware security keys.

The initial point of access — the token-stealing on an employee's laptop — bears some resemblance to how the password manager giant LastPass was hacked, which also involved an intruder targeting an employee's device, though it's not known if the two incidents are linked. LastPass confirmed in December that its customers' encrypted password vaults were stolen in an earlier breach. LastPass said the intruders had initially compromised an employee's device and account access, allowing them to break into LastPass' internal developer environment.

Recommended Stories

  • Why Amazon and Alphabet Are Still 2 of My Highest-Conviction Stocks in 2023

    How the mighty have fallen: Amazon (NASDAQ: AMZN) has given up nearly all the gains it made after 2020's big coronavirus-fueled sell-off. Here's why Amazon and Alphabet are still two of my highest-conviction stocks in 2023. To be sure, Amazon and Alphabet have some drawbacks.

  • Comcast's Answer to T-Mobile's Internet Deal Comes With a Huge Catch

    The cable and internet giant's Xfinity brand has a deal that looks a lot like it's upstart rival but you need to look closer.

  • China Likely To Help DiDi Tap Lunar Holiday Period By Lifting Bans

    Chinese authorities prepared to bring back DiDi Global Inc's (OTC: DIDIY) ride-hailing and other apps on domestic app stores by next week, signaling the country's easing down on its two-year regulatory crackdown on the technology sector. China has prohibited new user registrations and downloads of its 25 banned apps in China, Reuters reports. DiDi's relaxations could take place before the Lunar New Year holiday period, which would help Didi start to win new clients for the business. China strugg

  • Why Every Investor Needs to Know About the Ethereum Upgrade Coming Soon

    At the top of this list was Ethereum's (CRYPTO: ETH) successful implementation of The Merge. Arguably one of the most significant events in crypto history, The Merge transitioned Ethereum from a clunky, energy intensive proof-of-work consensus mechanism to the more streamlined and efficient proof-of-stake method. This time it's referred to as Shanghai -- albeit a smaller upgrade than The Merge, this new update will unlock the funds of users who staked their Ethereum to earn interest before The Merge.

  • Amazon to close Fresh Pickup location in Ballard

    The closure comes as Amazon seeks to streamline its brick-and-mortar strategy. Locally, the company will focus instead on its Fresh grocery stores.

  • From phishing scams to propaganda: How Russia, rogue nations utilize cyber capabilities against the US

    Experts told Fox News Digital that while China and Russia have made clear inroads into U.S. systems, the rapidly advancing capabilities of Iran and North Korea complicate things.

  • Analysis-Tencent bets big on WeChat Channels in push to build its own TikTok

    On a hot summer's day last year, the 90's boy band Backstreet Boys clambered on to a stage in Pennsylvania and belted out hits as 44 million viewers tuned in from thousands of miles away for the online concert hosted by China's WeChat Channels. The show is just one of many events held by WeChat owner Tencent to promote the app's short-video platform - described by the tech giant's founder Pony Ma as "the hope of the company". Tencent Holdings Ltd has tapped other entertainers too like Taiwan's Jay Chou and Irish boy band Westlife for livestreamed concerts and, according to a source, has set up a team to build a community of content creators as it seeks to challenge the dominance of ByteDance, the owner of TikTok and Douyin, and Kuaishou in the short-video business.

  • Google Gets A Breather In UK Court Ruling Against Plagiarism Charges By Smaller Rival

    Alphabet Inc (NASDAQ: GOOG) (NASDAQ: GOOGL) Google won a ruling enabling the U.K. High Court to settle a dispute with short-film firm Shorts International Ltd. Shorts International alleged YouTube of trademark infringement by using the word "Short," Bloomberg reports. Google had claimed that an unfavorable verdict could lead to colossal rebranding costs and technical changes on the platform, the judge said. YouTube opted for the rebranding two years back to grow market share, emulating the succe

  • Turn this Gmail security feature on ASAP

    Kurt "CyberGuy" Knutsson explains how to use your Gmail to send private encrypted emails to others so you keep your personal information secure and safe from harm.

  • Manx Care given extra three months to deal with data breach issues

    The health care provider now has until 31 March to put measures in place or face a £170,000 fine.