Security Experts:

CircleCI Customer Data Exposed Through Third-Party Vendor

CircleCI, a San Francisco-based company that specializes in continuous integration and delivery solutions, on Thursday informed customers that some of their information may have been exposed through a third-party analytics vendor.

The DevOps firm said it became aware on August 31 that an attacker had gained access to some user data in its vendor account. An investigation is ongoing, but so far it appears that the incident impacts customers who accessed the CircleCI platform between June 30, 2019, and August 31, 2019.

“On August 31st at 2:32 p.m. UTC, a CircleCI team member saw an email notification from one of our third-party analytics vendors and suspected that unusual activity was taking place in this particular vendor account. The employee immediately forwarded the email to our security and engineering teams, at which point a comprehensive investigation was launched and steps were taken to ensure the situation was contained,” the company told customers.

The exposed data includes usernames and email addresses associated with Bitbucket and GitHub, user IP addresses, and user agent strings. Organization names, repository names and URLs, branch names, and repo owners may have also been exposed, CircleCI said.

However, the company claims the attacker did not gain access to any user secrets, build logs or artifacts, source code, or any other production data. Passwords, authentication tokens and financial information should also be safe.

CircleCI says the incident is unlikely to result in identity theft and assured customers that their builds and source code are not at risk. Customers have been told that they should be able to access and use the CircleCI platform without any problems, and they do not need to change passwords or revoke authentication tokens.

However, customers have been advised to review the exposed data as it might include sensitive business information. There is also a chance that malicious actors could leverage the compromised email addresses and related metadata for targeted phishing attacks, CircleCI warned.

“We’re continuing to collaborate with the third-party vendor to identify the exact vulnerability that caused the incident. In the meantime, we will review our policies for enforcing 2FA on third-party accounts to the extent possible, and continue our transition to single sign-on (SSO) for all of our integrations,” the company said.

SecurityWeek has reached out to CircleCI to find out how many of its customers were affected by the incident. This article will be updated if the company responds.

CircleCI’s website says the company runs over 30 million builds every month on Linux, Windows and macOS. It claims to have thousands of customers, including Samsung, Ford, Facebook, GoPro, Kickstarter, Lyft, and Spotify. The company has raised over $115 million to date.

Related: 562,000 Impacted in XKCD Forum Data Breach

Related: Citrix Completes Investigation into Data Breach

Related: Over 328,000 Users Hit by Foxit Data Breach

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.