CircleCi, a software provider popular among developers and engineers, reported a data breach last month which resulted in stolen customer data.
The company on Friday revealed that an intruder accessed their network through a laptop infected with malware. This allowed them to steal session tokens, which enabled continued access even though the employee had two-factor authentication in place.
The company attributed the compromise to a “systems failure,” citing their antivirus software’s inability to detect token-stealing malware on an employee laptop.
Session tokens enable users to stay logged in without having to re-enter their password or use two-factor authentication each time. However, a stolen token gives an intruder the same access as the account holder without needing their credentials, making it difficult to distinguish between the legitimate owner and a hacker.
CircleCi reported that a session token theft enabled cybercriminals to masquerade as an employee and access some production systems with customer data.
Rob Zuber, the company’s CTO, said a third-party was able to access and exfiltrate data from customer databases due to the targeted employee having privileges that allowed them to generate production access tokens as part of their regular duties. This unauthorized access occurred between Dec 16 and Jan 4.
Zuber stated that customer data was encrypted, but cybercriminals obtained the encryption keys allowing them to decrypt it. He urged customers who have yet to take action to do so in order to guard against unauthorized access.
CircleCi has been made aware by several customers of unauthorized access to their systems, according to Zuber.
Days after warning customers to rotate sensitive secrets stored in its platform due to fears of stolen source code and other access keys, the company conducted a post-mortem.
Zuber stated that CircleCi has taken extra measures, such as additional step-up authentication and hardware security keys, to ensure a repeat incident does not occur.
The token-stealing incident bears a resemblance to the LastPass hack, though it’s unclear if they’re linked. In December, LastPass revealed that intruders had accessed an employee device and account which enabled them to breach the company’s developer environment and steal their customers’ encrypted password vaults.