CircleCI has released a new security incident report providing more information on the attack they suffered earlier this month. They first learned about the attack from a customer reporting that their GitHub token has being compromised. Internal investigations concluded that an engineer had become infected on December 16th with information stealing malware that evaded the company’s antivirus. The malware was able to steal a corporate session cookie that had already been authenticated via 2FA. This allowed them to bypass needing to do 2FA again. Using the stolen session cookie, the hacker began stealing data from the company’s database, including customers’ environment variables, tokens and keys.
This segment was created for the It’s 5:05 podcast