CircleCI Says Hackers Stole Clients' Encryption Keys and Secrets

CircleCi, a software company whose products are popular with software developers and engineers, has confirmed that some customers' data was stolen in a data breach last month .

The company said in a detailed blog post on Friday that it had identified the intruder's initial access point as an employee's laptop compromised by malware, enabling the theft of tokens session IDs used to keep the employee logged in to certain applications, even if their access was protected by two-factor authentication.

The company took responsibility for the compromise, calling it a "system failure", adding that its antivirus software failed to detect the token-stealing malware on the employee's laptop .

Session tokens allow a user to stay logged in without having to re-enter their password or re-authorize themselves using two-factor authentication each time. But a stolen session token allows an intruder to gain the same access as the account holder without needing their password or two-factor code. As such, it can be difficult to tell the difference between a session token from the account owner or an attacker who stole the token.

CircleCi said stealing the session token allowed cybercriminals to impersonate the employee and gain access to some of the company's production systems, which store customer data.

>

"Because the targeted employee had privileges to generate production access tokens as part of their regular duties, the unauthorized third party was able to access and exfiltrate data from a subset databases and stores, including customer environment variables, tokens, and keys," said Rob Zuber, the company's chief technology officer. Zuber said intruders had access from December 16 through December 4 January.

Zuber said that if customer data is encrypted, cybercriminals also obtain the encryption keys that can decrypt customer data. "We encourage customers who have not yet taken steps to do so to prevent unauthorized access to third-party systems and stores," Zuber added.

Several customers have already notified CircleCi of unauthorized access to their systems, Zuber said.

The autopsy comes days after the company warned customers to rotate "all secrets" stored on its platform, fearing hackers stole code from its customers and others Sensitive secrets used to access other apps and services.< /p>

Zuber said CircleCi employees who maintain access to production systems "have added additional authentication steps and checks" which should prevent a repeat incident, likely using hardware security keys .

The initial access point - the theft of tokens from an employee's laptop - looks a bit like how password manager giant LastPass was hacked, which also involved an intruder targeting an employee's device, although it's unclear if the two incidents are related. LastPass confirmed in December that its customers' encrypted password vaults were stolen in an earlier breach. LastPass said the intruders initially compromised access to an employee's device and account, allowing them to break into LastPass's internal development environment.

Title updated to better reflect customer data that was taken.