CircleCi, a software company whose products are popular with developers and software engineers, confirmed that some customers’ data was stolen in a data breach last month.
The company said in a detailed blog post on Friday that it identified the intruder’s first entry point as an employee’s laptop, which was compromised with malware, which enabled the theft of session tokens that kept the employee logged in to certain applications despite having access was protected with two-factor authentication.
The company took blame for the compromise, calling it a “system glitch,” adding that its antivirus software failed to detect the token-stealing malware on the employee’s laptop.
Session tokens allow a user to stay logged in without having to re-enter their password each time or re-authorize themselves using two-factor authentication. However, a stolen session token allows an intruder to gain the same access as the account holder without needing their password or two-factor code. Therefore, it can be difficult to distinguish between an account holder’s session token and a hacker who stole the token.
According to CircleCi, stealing the session token allowed the cybercriminals to pose as employees and gain access to some of the company’s production systems where customer data is stored.
“Because the affected employee was authorized to generate production access tokens as part of their regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens and keys,” said Rob Zuber, Chief Technology Officer the company. Zuber said the intruders had access from December 16 to January 4.
Zuber said that while customer data was encrypted, the cybercriminals also obtained the encryption keys that could be used to decrypt customer data. “We encourage customers who still need to take steps to prevent unauthorized access to third-party systems and stores to do so,” Zuber added.
Several customers have already notified CircleCi of unauthorized access to their systems, Zuber said.
The autopsy comes days after the company warned customers it was rotating “any secrets stored on its platform” amid fears hackers have stolen its customers’ code and other sensitive secrets used to access other apps and services will.
Zuber said CircleCi employees who retain access to production systems “added additional step-up authentication steps and controls” that should prevent a repeat incident, likely through the use of hardware security keys.
The first point of access — the token theft on an employee’s laptop — bears some resemblance to password manager giant LastPass’s hack, which also saw an intruder target an employee’s device, although it’s not known if the two incidents are connected to each other. LastPass confirmed in December that its customers’ encrypted password vaults were stolen in a previous attack. LastPass said the intruders first compromised an employee’s device and account access, allowing them to break into LastPass’s internal development environment.
Updated headline to better reflect customer data collected.