What’s the matter?
CircleCI suffered a data breach incident compromising user data after an attacker gained unauthorized access to one of its third-party vendor account. Users who accessed the CircleCI platform between June 30, 2019, and August 31, 2019, are impacted by this incident.
On August 31, 2019, a CircleCI team member noticed an email notification from one of their third-party analytics vendors and suspected that unusual activity was taking place in that particular vendor account. Upon which, the employee immediately forwarded the email to CircleCI security team and launched an investigation on the incident.
What data was involved?
“Because the attacker was not able to access any production data or any data related to authentication on CircleCI, your team should be able to continue to access and use our platform as usual. Affected users do not need to update passwords or invalidate auth tokens due to this incident as these were not compromised,” CircleCI said in a security notice.
What actions are being taken?
Upon detecting the unusual activity in the vendor account, CircleCI’s security team launched an investigation on the incident. The investigation revealed that the added database was not a CircleCI resource.
“However, this is no excuse for failing to adequately protect user data, and we would like to apologize to the affected users. We hope that our remediations and internal audits are able to prevent incidents like this and minimize exposures in the future. We know that perfect security is an impossible goal, and while we can’t promise that, we can promise to do better,” CircleCI concluded.