16 January 2023

CircleCI engineers’ laptop compromise led to security breach


CircleCI engineers’ laptop compromise led to security breach

CircleCI, a company behind the eponymous continuous integration and continuous delivery (CI/CD) platform, has shared additional details on a security breach that came to light in early January.

In an incident report published last week, the company said it first learned of the unauthorized access to its systems after a customer reported that their GitHub OAuth token had been compromised. An investigation into the incident found that the intruders gained access to CircleCI’s network via its engineer’s laptop infected with malware used to steal a valid, 2FA-backed SSO session.

“Because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys,” CircleCI explained. “We have reason to believe that the unauthorized third party engaged in reconnaissance activity on December 19, 2022. On December 22, 2022, exfiltration occurred, and that is our last record of unauthorized activity in our production systems. Though all the data exfiltrated was encrypted at rest, the third party extracted encryption keys from a running process, enabling them to potentially access the encrypted data.”

After learning of the breach the company closed the attack vector and implemented additional security measures. It also worked with Atlassian and AWS to notify customers of possibly compromised Bitbucket tokens and AWS tokens.


Back to the list

Latest Posts

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

The new infostealer was observed in attacks targeting Ukrainian organizations.
8 February 2023
CISA releases tool to recover encrypted VMware ESXi servers

CISA releases tool to recover encrypted VMware ESXi servers

According to CISA’s list of bitcoin addresses, over 2,800 ESXi servers have been encrypted to date.
8 February 2023
Threat actors target Ukrainian government agencies with Remcos spyware

Threat actors target Ukrainian government agencies with Remcos spyware

The attack involves a phishing email ostensibly sent by Ukrtelecom, a major Ukrainian internet service provider.
8 February 2023