4 min read

Last week, the team at CircleCI came across with a security breach incident that involved CircleCI and a third-party analytics vendor. An attacker got access to the user data including usernames, email addresses that were associated with GitHub and Bitbucket, user IP addresses as well as user-agent strings from their third-party vendor account. 

According to the CircleCI team, information about repository URLs and names, organization name, branch names, and repository owners might have got exposed during this incident. CircleCI user secrets, build artifacts, source code,  build logs, or any other production data wasn’t accessed during this incident. Data regarding the auth tokens, password hashes, credit card or financial information also wasn’t assessed. 

The security and the engineering teams at CircleCI revoked the access of the compromised user and further launched an investigation.

The official page reads, “CircleCI does not collect social security numbers or credit card information; therefore, it is highly unlikely that this incident would result in identity theft.”

How did the security breach occur?

The incident took place on 31st August at 2:32 p.m. UTC and it came in the notice when a CircleCI team member saw an email notification about the incident from one of their third-party analytics vendors. And it was then suspected that some unusual activity was taking place in a particular vendor account. 

The employee then forwarded the email to their security and engineering teams after which the investigation started and steps were taken in order to control the situation. 

According to CircleCI’s engineering team, the added database was not a CircleCI resource. The team then removed the malicious database and the compromised user from the tool and further reached out to the third-party vendor to collaborate on the investigation. 

At 2:43 p.m. UTC, the security teams started disabling the improperly accessed account and by 3:00 p.m. UTC, this process ended.

According to the team, the customers who accessed the platform between June 30, 2019, and August 31, 2019, could possibly be affected. The page further reads, “In the interest of transparency, we are notifying affected CircleCI users of the incident via email and will provide relevant updates on the FAQ page as they become available.”

CircleCI will strengthen its platform’s security

The team will continue to collaborate with the third-party vendor so that they can find out the exact vulnerability that caused the incident. The team will review their policies for enforcing 2FA on third-party accounts and continue their transition to single sign-on (SSO) for all of their integrations. This year, the team also doubled the size of their security team.

The official post reads, “Our security team is taking steps to further enhance our security practices to protect our customers, and we are looking into engaging a third-party digital forensics firm to assist us in the investigation and further remediation efforts. While the investigation is ongoing, we believe the attacker poses no further risk at this time.”

The page further reads, “However, this is no excuse for failing to adequately protect user data, and we would like to apologize to the affected users. We hope that our remediations and internal audits are able to prevent incidents like this and minimize exposures in the future. We know that perfect security is an impossible goal, and while we can’t promise that, we can promise to do better.”

Few users on HackerNews discuss how CircleCI has taken user’s data and its security for granted by handing it over to the third party. 

A user commented on HackerNews, “What’s sad about this is that CircleCI actually has a great product and is one of the nicest ways to do end to end automation for mobile development/releases. Having their pipeline in place actually feels quite liberating. The sad part is that they take this for granted and liberate all your data and security weaknesses too to unknown third parties for either a weird ideological reason about interoperability or a small marginal profit.”

Few others are appreciating the company’s efforts for resolving the issue. Another user commented, “This is how you handle a security notification. Well done CircleCI, looking forward to the full postmortem.”

What’s new in security this week?

CircleCI Over 47K Supermicro servers’ BMCs are prone to USBAnywhere, a remote virtual media vulnerability

Cryptographic key of Facebook’s Free Basics app has been compromised

Retadup, a malicious worm infecting 850k Windows machines, self-destructs in a joint effort by Avast and the French police