US investigators probing breach at code testing company Codecov

Raphael Satter
·2 min read

By Raphael Satter

WASHINGTON (Reuters) -U.S. federal investigators are probing an intrusion at San Francisco-based software auditing company Codecov that affected an unknown number of its 29,000 customers, the firm said, raising the specter of knock-on breaches at companies elsewhere.

Codecov said in a statement hackers began tampering with its software - which is used across the tech industry to help test code for mistakes and vulnerabilities - on Jan. 31. However, the intrusion was only detected earlier this month when an astute customer noticed there was something off about the tool, Codecov said.

Although the ramifications of the incident remain unclear, the breach drew comparisons to the recent compromise of Texas software firm SolarWinds by alleged Russian hackers, both because the breach could have follow-on effects at many of the organizations that use Codecov and because of the length of time that the doctored software remained in circulation.

The company says on its website that it has 29,000 customers including consumer goods conglomerate Procter & Gamble Co, web hosting firm GoDaddy Inc, The Washington Post, and Australian software firm Atlassian Corporation PLC.

P&G, GoDaddy, and The Post did not immediately return messages seeking comment. Atlassian said it was aware of the situation and was investigating.

"At this moment, we have not found any evidence that we have been impacted nor have identified signs of a compromise," Atlassian said in an email.

Codecov is used by "big enterprises, small companies and open source tools alike," said Dor Atias of Israeli source code protection firm Cycode.

Subverting Codecov means "you can get a lot of data from a lot of big companies," he said. "It's a huge deal."

Codecov said there was an ongoing federal investigation into the matter but declined to elaborate on its statement.

The Federal Bureau of Investigation and Department of Homeland Security's cybersecurity arm did not immediately return a messages seeking comment on Friday.

(Reporting by Raphael Satter; Editing by Lincoln Feast.)