Circleci, a software development company whose products are popular among developers and engineers-programmers, confirmed that some of its customers were stolen as a result of leakage last month.
The company said that it has determined the attacker access point to the system. It was a laptop of one of the employees who was compromised by malicious software. So the attackers were able to get the session tokens used to hold the employee in the system.
The company took the blame for compromising, calling it a “system failure”. Circleci also added that its antivirus software could not detect malicious software for the theft of tokens on the employee’s laptop.
Session tokens allow the user to stay in the system without the need to enter a password each time or repeatedly log in using two -factor authentication. The stolen token session allows the attacker to get exactly the same access. Thus, it is quite difficult to distinguish the tokens of the session of the accounting owner and a hacker who gained access unlawful.
Theft of the session tokens allows cybercriminals to impersonate the company’s employees and gain access to some production systems in which customer data are stored.
“Since this employee had the authority to independently generate production tokens of production access, an unauthorized third party was able to receive the same powers and extract data from many bases and storage facilities, including customer environment variables, tokens and keys,” said Rob Zuber, chief technical director Circleci. He also said that attackers had access to the system from December 16 to January 4.
Zuber noted that although the data of customers were encrypted, during the attack of cybercriminals received encryption keys that can decode data. “We urge customers who have not yet taken any action to do it urgently to prevent unauthorized access,” added Zuber.
According to Zuber, several customers have already informed Circleci about unauthorized access to their systems.
The leak analysis was completed a few days after the company warned customers about the need to change “all sensitive data” stored on the platform.
Zuber said that Circleci employees have complicated the authentication process. This should prevent the repetition of the incident.
the method used by the attackers, theft of the token from the employee’s laptop – has some similarity with the method that Lastpass password manager has recently hacked. There, access was also obtained through the device of one of the employees: the attackers compromised the device and gained access to the account, which allowed them to penetrate the internal environment of the service. It is not known for certain whether these two incidents are related to each other.