article featured image


On Friday, DevOps platform CircleCI revealed that unidentified threat actors compromised an employee’s laptop and stole their two-factor authentication credentials to compromise the company’s systems and data.

CI/CD service CircleCI said the “sophisticated attack” occurred on December 16, 2022, and its antivirus software could not detect the malware.

According to CircleCI’s chief technology officer, Rob Zuber, the malware executed session cookie theft, allowing them to impersonate the targeted employee remotely and escalate access to a subset of production systems.

As a result of the security breach, an unauthorized third party stole data from a subset of the company’s databases by abusing elevated permissions granted to the targeted employee, including customer environment variables, tokens, and keys.

On December 19, 2022, the threat actor conducted surveillance, followed by data exfiltration on December 22, 2022.

Despite all data being encrypted at rest, the third-party extracted encryption keys from a running process, potentially allowing them to access encrypted data.

On December 29, 2022, CircleCI urged its customers to rotate all their secrets after it was alerted to “suspicious GitHub OAuth activity” by one of its customers.

Upon learning that the customer’s OAuth token had been compromised, the company took the proactive step of rotating all GitHub OAuth tokens, the company stated, adding Atlassian rotated all Bitbucket tokens, revoked Project API Tokens, and Personal API Tokens, and notified customers of potentially affected AWS tokens.

Aside from limiting access to production environments, CircleCI has added more authentication guardrails to prevent illegitimate access.

In addition, the company plans to implement periodic automatic OAuth token rotation for all customers to prevent such attacks in the future. It will also allow users to adopt the latest and most advanced security features.

Heimdal Official Logo

DNS Security for Dummies

Learn More

An eBook that gives a comprehensive role-based security approach and addresses the numerous dangers to the Domain Name Systems (DNS) as cyberattacks increase globally.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.  

Author Profile

Gabriella Antal

SMM & Corporate Communications Officer

linkedin icon

Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company's social media channels. Her contributions amplify the brand's voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.

Leave a Reply

Your email address will not be published. Required fields are marked *