A software company CircleCi has acknowledged that a data breach that occurred last month resulted in the theft of customers' personal information.
After an engineer contracted data-stealing malware that made use of CircleCi's 2FA-backed SSO session cookies to get access to the company's internal systems, hackers broke into the company in December.
CircleCi reminded consumers to change their credentials and passwords earlier this month after disclosing a security breach.
The company accepted responsibility for the breach and criticized a system failure, noting that its antivirus program missed the token-stealing malware on the employee's laptop. Using session tokens, users can maintain their login status without constantly typing their password or re-authorizing using two-factor authentication. However, without the account holder's password or two-factor code, an attacker can access the same resources as them by using a stolen session token. As a result, it may be challenging to distinguish between a session token belonging to the account owner and one stolen by a hacker.
According to CircleCi, the theft of the session token enabled the hackers to assume the identity of the employee and obtain access to a few of the business systems, which store client data. CircleCi states they rotated all customer-related tokens, including Project API Tokens, Personal API Tokens, and GitHub OAuth tokens, in retaliation to the hack. Additionally, the business collaborated with Atlassian and AWS to alert clients of potentially hacked AWS and Bitbucket tokens.
CircleCi claims that in order to further fortify its infrastructure, they have increased the number of detections for the actions taken by the information-stealing malware in its antivirus and mobile device management (MDM) programs.
"While client data was encrypted, the cybercriminals also gained the encryption keys able to decrypt consumer data," claimed Rob Zuber, the company's chief technology officer. To avoid illegal access to third-party systems and stores, researchers urge customers who have not already taken steps to do so. The company additionally tightened the security of its 2FA solution and further limited access to its production settings to a smaller group of users.