\n<\/p>\n
CircleCi, a software company whose products are popular with developers and software engineers, confirmed that some customers\u2019 data was stolen in a data breach<\/a> last month.<\/p>\n The company said in a detailed blog post<\/a> on Friday that it identified the intruder\u2019s initial point of access as an employee\u2019s laptop that was compromised with malware, allowing the theft of session tokens used to keep the employee logged in to certain applications, even though their access was protected with two-factor authentication.<\/p>\n The company took the blame for the compromise, calling it a \u201csystems failure,\u201d adding that its antivirus software failed to detect the token-stealing malware on the employee\u2019s laptop.<\/p>\n Session tokens allow a user to stay logged in without having to keep re-entering their password or re-authorizing using two-factor authentication each time. But a stolen session token allows an intruder to gain the same access as the account holder without needing their password or two-factor code. As such, it can be difficult to differentiate between a session token of the account owner, or a hacker who stole the token.<\/p>\n CircleCi said the theft of the session token allowed the cybercriminals to impersonate the employee and gain access to some of the company\u2019s production systems, which store customer data.<\/p>\n \u201cBecause the targeted employee had privileges to generate production access tokens as part of the employee\u2019s regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys,\u201d said Rob Zuber, the company\u2019s chief technology officer. Zuber said the intruders had access from December 16 through January 4.<\/p>\n Zuber said that while customer data was encrypted, the cybercriminals also obtained the encryption keys able to decrypt customer data. \u201cWe encourage customers who have yet to take action to do so in order to prevent unauthorized access to third-party systems and stores,\u201d Zuber added.<\/p>\n Several customers have already informed CircleCi of unauthorized access to their systems, Zuber said.<\/p>\n The post-mortem comes days after the company warned customers to rotate \u201cany and all secrets\u201d<\/a> stored in its platform, fearing that hackers had stolen its customers\u2019 code and other sensitive secrets used for access to other applications and services.<\/p>\n Zuber said that CircleCi employees who retain access to production systems \u201chave added additional step-up authentication steps and controls,\u201d which should prevent a repeat-incident, likely by way of using hardware security keys<\/a>.<\/p>\n The initial point of access \u2014 the token-stealing on an employee\u2019s laptop \u2014 bears some resemblance to how the password manager giant LastPass was hacked, which also involved an intruder targeting an employee\u2019s device, though it\u2019s not known if the two incidents are linked. LastPass confirmed in December that its customers\u2019 encrypted password vaults<\/a> were stolen in an earlier breach. LastPass said the intruders had initially compromised an employee\u2019s device and account access<\/a>, allowing them to break into LastPass\u2019 internal developer environment.<\/p>\n