Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

CircleCI Customer Data Exposed Through Third-Party Vendor

CircleCI, a San Francisco-based company that specializes in continuous integration and delivery solutions, on Thursday informed customers that some of their information may have been exposed through a third-party analytics vendor.

CircleCI, a San Francisco-based company that specializes in continuous integration and delivery solutions, on Thursday informed customers that some of their information may have been exposed through a third-party analytics vendor.

The DevOps firm said it became aware on August 31 that an attacker had gained access to some user data in its vendor account. An investigation is ongoing, but so far it appears that the incident impacts customers who accessed the CircleCI platform between June 30, 2019, and August 31, 2019.

“On August 31st at 2:32 p.m. UTC, a CircleCI team member saw an email notification from one of our third-party analytics vendors and suspected that unusual activity was taking place in this particular vendor account. The employee immediately forwarded the email to our security and engineering teams, at which point a comprehensive investigation was launched and steps were taken to ensure the situation was contained,” the company told customers.

The exposed data includes usernames and email addresses associated with Bitbucket and GitHub, user IP addresses, and user agent strings. Organization names, repository names and URLs, branch names, and repo owners may have also been exposed, CircleCI said.

However, the company claims the attacker did not gain access to any user secrets, build logs or artifacts, source code, or any other production data. Passwords, authentication tokens and financial information should also be safe.

CircleCI says the incident is unlikely to result in identity theft and assured customers that their builds and source code are not at risk. Customers have been told that they should be able to access and use the CircleCI platform without any problems, and they do not need to change passwords or revoke authentication tokens.

However, customers have been advised to review the exposed data as it might include sensitive business information. There is also a chance that malicious actors could leverage the compromised email addresses and related metadata for targeted phishing attacks, CircleCI warned.

“We’re continuing to collaborate with the third-party vendor to identify the exact vulnerability that caused the incident. In the meantime, we will review our policies for enforcing 2FA on third-party accounts to the extent possible, and continue our transition to single sign-on (SSO) for all of our integrations,” the company said.

SecurityWeek has reached out to CircleCI to find out how many of its customers were affected by the incident. This article will be updated if the company responds.

CircleCI’s website says the company runs over 30 million builds every month on Linux, Windows and macOS. It claims to have thousands of customers, including Samsung, Ford, Facebook, GoPro, Kickstarter, Lyft, and Spotify. The company has raised over $115 million to date.

Related: 562,000 Impacted in XKCD Forum Data Breach

Related: Citrix Completes Investigation into Data Breach

Related: Over 328,000 Users Hit by Foxit Data Breach

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.