On Friday, DevOps platform CircleCI announced that it had experienced a data breach as a result of a “sophisticated attack” on December 16, 2022. The incident involved an employee’s laptop being compromised by unknown actors, who then used malware to steal the employee’s two-factor authentication-backed credentials to gain access to the company’s systems and data.
According to CircleCI’s Chief Technology Officer, Rob Zuber, the malware was able to execute session cookie theft, allowing the attackers to impersonate the targeted employee and escalate access to a subset of the company’s production systems. Further analysis revealed that the unauthorized third party had also accessed and exfiltrated data from a subset of CircleCI’s databases, by exploiting the elevated permissions granted to the targeted employee. This data included customer environment variables, tokens, and keys.
The attackers are believed to have carried out reconnaissance activity on December 19, 2022, followed by the exfiltration of data on December 22, 2022. The company stated that, although all of the exfiltrated data was encrypted at rest, the attackers were able to extract the encryption keys from a running process, potentially giving them access to the encrypted data.
The incident occurred just over a week after CircleCI had urged its customers to rotate all of their secrets, following reports of “suspicious GitHub OAuth activity” by one of its customers on December 29, 2022. In response to the incident, CircleCI proactively rotated all GitHub OAuth tokens, worked with Atlassian to rotate all Bitbucket tokens, revoked Project API Tokens, and Personal API Tokens, and notified customers of potentially affected AWS tokens.
In an effort to prevent similar incidents in the future, CircleCI has taken steps to limit access to production environments and has implemented additional authentication guardrails to prevent illegitimate access, even if credentials are stolen. The company also plans to initiate periodic automatic OAuth token rotation for all customers and to provide users with options to adopt the latest and most advanced security features available.