Security Experts:

Connect with us

Hi, what are you looking for?


Data Breaches

CircleCI Hacked via Malware on Employee Laptop

Software development service CircleCI said a recent data breach was the result of information stealer malware being deployed on an engineer’s laptop.

Software development service CircleCI has revealed that a recently disclosed data breach was the result of information stealer malware being deployed on an engineer’s laptop.

The incident was initially disclosed on January 4, when CircleCI urged customers to rotate their secret keys.

In an updated incident report on Friday, the company said that it was initially alerted of suspicious activity on December 29, 2022, and that on December 31 it started rotating all GitHub OAuth tokens on behalf of its customers.

On January 4, 2023, CircleCI learned that malware deployed on an engineer’s laptop on December 16 was used to steal a 2FA-backed SSO session, which allowed the attackers to access the company’s internal systems.

“Our investigation indicates that the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems,” the company said.

The compromised employee account was used to generate production access tokens, which allowed the hackers to “access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys”.

The attackers, CircleCI said, performed reconnaissance on December 19 and exfiltrated the sensitive information on December 22.

“Though all the data exfiltrated was encrypted at rest, the third party extracted encryption keys from a running process, enabling them to potentially access the encrypted data,” the company said.

To contain the breach, the company shut down all access for the compromised employee account, shut down production access to nearly all employees, rotated all potentially exposed production hosts, revoked all project API tokens, revoked all personal API tokens created prior to January 5, rotated all Bitbucket and GitHub OAuth tokens, and started notifying customers of the incident.

“We have taken many steps since becoming aware of this attack, both to close the attack vector and add additional layers of security,” CircleCI said.

According to the company, both “both the attack vector and the potential of a lingering corrupted host” were eliminated through the rotation of all production hosts.

Due to the sensitive nature of the exfiltrated information, all CircleCI customers should rotate SSH keys, OAuth tokens, project API tokens, and other secrets, and should investigate any suspicious activity observed after December 16.

“Because this incident involved the exfiltration of keys and tokens for third-party systems, there is no way for us to know if your secrets were used for unauthorized access to those third-party systems,” the company said. “At the time of publishing, fewer than 5 customers have informed us of unauthorized access to third-party systems as a result of this incident.”

Cloud monitoring service Datadog, one of the impacted CircleCI customers, announced late last week that it had identified an old RPM GNU Privacy Guard (GPG) private signing key that was compromised in the incident, along with its passphrase.

“As of January 12th, 2023, Datadog has no indication that the key was actually leaked or misused, but we are still taking the following actions out of an abundance of caution,” Datadog said.

Related: LastPass Says Password Vault Data Stolen in Data Breach

Related: Toyota Discloses Data Breach Impacting Source Code, Customer Email Addresses

Related: Microsoft Confirms Data Breach, But Claims Numbers Are Exaggerated

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Data Breaches

Companies affected by the recent Mailchimp data breach have started notifying customers. The list includes WooCommerce, FanDuel, Yuga Labs and the Solana Foundation.

Data Breaches

Zacks Investment Research is informing 820,000 individuals that their personal data was compromised in a data breach.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Data Breaches

A ransomware attack on Yum Bands forced the parent company of KFC and Taco Bell to close hundreds of restaurants in the United Kingdom

Data Breaches

Google Fi informs customers about a data breach related to the recent T-Mobile cyberattack and some users claim they were targeted in a SIM...

Data Breaches

JD Sports discovers unauthorized access to information from orders placed by customers between 2018 and 2020.