CircleCI suffered data breach involving third-party analytics vendor

• Users who accessed the CircleCI platform between June 30, 2019, and August 31, 2019, are impacted by this incident.
• The compromised user data includes usernames and email addresses associated with GitHub and Bitbucket, along with user IP addresses and user-agent strings.

What’s the matter?

CircleCI suffered a data breach incident compromising user data after an attacker gained unauthorized access to one of its third-party vendor account. Users who accessed the CircleCI platform between June 30, 2019, and August 31, 2019, are impacted by this incident.

What happened?

On August 31, 2019, a CircleCI team member noticed an email notification from one of their third-party analytics vendors and suspected that unusual activity was taking place in that particular vendor account. Upon which, the employee immediately forwarded the email to CircleCI security team and launched an investigation on the incident.

What data was involved?

• The compromised user data includes usernames and email addresses associated with GitHub and Bitbucket, along with user IP addresses and user-agent strings.
• The other exposed information includes organization names, repository URLs, branch names, and repository owners.
• However, no CircleCI user secrets, auth tokens, password hashes, build artifacts, build logs, source code, Social Security numbers or credit card information were involved in the incident.

“Because the attacker was not able to access any production data or any data related to authentication on CircleCI, your team should be able to continue to access and use our platform as usual. Affected users do not need to update passwords or invalidate auth tokens due to this incident as these were not compromised,” CircleCI said in a security notice.

What actions are being taken?

Upon detecting the unusual activity in the vendor account, CircleCI’s security team launched an investigation on the incident. The investigation revealed that the added database was not a CircleCI resource.

• Upon which, the security team immediately removed the malicious database and the compromised user from the tool.
• The team then collaborated with the third-party vendor in order to identify the exact vulnerability that caused the incident.
• Steps to improve CircleCI’s security practices are being taken by the security team, which includes enforcing 2FA on third-party accounts, and implementing single sign-on (SSO) for all of the integrations.

“However, this is no excuse for failing to adequately protect user data, and we would like to apologize to the affected users. We hope that our remediations and internal audits are able to prevent incidents like this and minimize exposures in the future. We know that perfect security is an impossible goal, and while we can’t promise that, we can promise to do better,” CircleCI concluded.