CircleCI

On January 4, CircleCI notified customers of a security incident and subsequent breach. CircleCI, similar to GitHub, is a continuous integration and delivery platform (CI/CD) that aids development teams in building fully automated pipelines from initial build to deployment. An unauthorized third party breached CircleCI around December 16 after an employee’s device became infected with information-stealing malware, resulting in the theft of their two-factor authorization (2FA)-backed SSO session cookie and allowing access to the company's internal systems. Due to the targeted employee’s privileges to generate production access tokens, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys. CircleCI first learned of the unauthorized access to its systems after a customer reported that their GitHub OAuth token had been compromised. CircleCI took steps to mitigate further compromise, including automatically rotating customers’ GitHub OAuth tokens. Supply chain attacks targeting software developers and suppliers continue to be an emerging threat. Additionally, threat actors continue to develop new ways to bypass 2FA or MFA, as these supplementary security measures have proven successful and are widely adopted across corporate networks. CircleCI provides further IOCs to assist customers with internal investigations.