CircleCi, a software company whose products are popular with developers and software engineers, has confirmed that some customer data was stolen in a data breach last month.
The company said in a detailed blog post on Friday that it identified the attacker’s initial entry point as an employee’s laptop compromised by malware that allows it to steal session tokens used to keep an employee logged in to certain applications despite logging in. was protected by two-factor authentication.
The company took the blame for the compromise, calling it a “system failure,” adding that its anti-virus software failed to detect token-stealing malware on an employee’s laptop.
Session tokens allow a user to stay logged in without re-entering their password each time or being re-authorized using two-factor authentication. But a stolen session token allows an intruder to gain the same access as the account owner without needing their password or two-factor code. As such, it can be difficult to distinguish between an account owner’s session token or a hacker who has stolen the token.
CircleCi said the session token theft allowed cybercriminals to impersonate an employee and gain access to some of the company’s production systems that store customer data.
“Because the targeted employee had privileges to create production access tokens as part of the employee’s regular duties, an unauthorized third party was able to access and export data from a subset of databases and stores, including customer environment variables, tokens, and keys.” said Rob Zuber, the company’s chief technology officer. Zuber said the intruders entered between Dec. 16 and Jan. 4.
While customer data was encrypted, cybercriminals also obtained encryption keys that could decrypt customer data, Zuber said. “We encourage customers who have yet to take action to do so to prevent unauthorized access to third-party systems and stores,” Zuber added.
Several customers have already notified CircleCi of unauthorized access to their systems, Zuber said.
The post-mortem comes days after the company warned customers to turn over “all secrets” stored on its platform over fears that hackers had stolen its customer code and other sensitive secrets used to access other apps and services.
Zuber said CircleCi employees who access production systems “have added additional authentication steps and controls” that should prevent a repeat incident, possibly by using hardware security keys.
The initial point of entry, the theft of a token from an employee’s laptop, bears some resemblance to the hack of password manager giant LastPass, which also involved the attacker’s target, an employee’s device, although it is not known if the two incidents are related. LastPass confirmed in December that its customers’ encrypted password vaults had been stolen in an earlier breach. LastPass says the attackers initially compromised an employee’s device and account access, allowing them to break into LastPass’s developer environment.
Updated header to better reflect customer retrieved data.