[BreachExchange] CircleCI Customer Data Exposed Through Third-Party Vendor

Mon Sep 9 09:13:48 EDT 2019

https://www.securityweek.com/circleci-customer-data-exposed-through-third-party-vendor

CircleCI, a San Francisco-based company that specializes in continuous
integration and delivery solutions, on Thursday informed customers
that some of their information may have been exposed through a
third-party analytics vendor.

The DevOps firm said it became aware on August 31 that an attacker had
gained access to some user data in its vendor account. An
investigation is ongoing, but so far it appears that the incident
impacts customers who accessed the CircleCI platform between June 30,
2019, and August 31, 2019.

“On August 31st at 2:32 p.m. UTC, a CircleCI team member saw an email
notification from one of our third-party analytics vendors and
suspected that unusual activity was taking place in this particular
vendor account. The employee immediately forwarded the email to our
security and engineering teams, at which point a comprehensive
investigation was launched and steps were taken to ensure the
situation was contained,” the company told customers.

The exposed data includes usernames and email addresses associated
with Bitbucket and GitHub, user IP addresses, and user agent strings.
Organization names, repository names and URLs, branch names, and repo
owners may have also been exposed, CircleCI said.

However, the company claims the attacker did not gain access to any
user secrets, build logs or artifacts, source code, or any other
production data. Passwords, authentication tokens and financial
information should also be safe.

CircleCI says the incident is unlikely to result in identity theft and
assured customers that their builds and source code are not at risk.
Customers have been told that they should be able to access and use
the CircleCI platform without any problems, and they do not need to
change passwords or revoke authentication tokens.

However, customers have been advised to review the exposed data as it
might include sensitive business information. There is also a chance
that malicious actors could leverage the compromised email addresses
and related metadata for targeted phishing attacks, CircleCI warned.

“We’re continuing to collaborate with the third-party vendor to
identify the exact vulnerability that caused the incident. In the
meantime, we will review our policies for enforcing 2FA on third-party
accounts to the extent possible, and continue our transition to single
sign-on (SSO) for all of our integrations,” the company said.

SecurityWeek has reached out to CircleCI to find out how many of its
customers were affected by the incident. This article will be updated
if the company responds.

CircleCI’s website says the company runs over 30 million builds every
month on Linux, Windows and macOS. It claims to have thousands of
customers, including Samsung, Ford, Facebook, GoPro, Kickstarter,
Lyft, and Spotify. The company has raised over $115 million to date.