CircleCI, a company behind the eponymous continuous integration and continuous delivery (CI/CD) platform, has shared additional details on a security breach that came to light in early January.

In an incident report published last week, the company said it first learned of the unauthorized access to its systems after a customer reported that their GitHub OAuth token had been compromised. An investigation into the incident found that the intruders gained access to CircleCI’s network via its engineer’s laptop infected with malware used to steal a valid, 2FA-backed SSO session.

“Because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys,” CircleCI explained. “We have reason to believe that the unauthorized third party engaged in reconnaissance activity on December 19, 2022. On December 22, 2022, exfiltration occurred, and that is our last record of unauthorized activity in our production systems. Though all the data exfiltrated was encrypted at rest, the third party extracted encryption keys from a running process, enabling them to potentially access the encrypted data.”

After learning of the breach the company closed the attack vector and implemented additional security measures. It also worked with Atlassian and AWS to notify customers of possibly compromised Bitbucket tokens and AWS tokens.