CircleCI discovers data breach, warns users to ‘check your repo names’

CircleCI discovers data breach, warns users to ‘check your repo names’

CircleCI has warned customers to review their repo and branch names after discovering they may have been exposed in a breach involving the CI firm and a third-party analytics vendor over the summer.

Email addresses and related meta data was also exposed, CircleCI warned, raising the possibility these could be used in targeted fishing campaigns.

CircleCI said it became aware of the security incident on August 31, after being informed of unusual activity on the account.

The attacker “was able to improperly access some user data in our vendor account, including usernames and email addresses associated with GitHub and Bitbucket, along with user IP addresses and user agent strings. The engineering and security teams at CircleCI immediately revoked the access of the compromised user and quickly launched an investigation.”

The firm said “some user data was exposed, including usernames and email addresses associated with GitHub and Bitbucket, along with user IP addresses and user agent strings.” Other exposed data could include organization name, repository URLs and names, branch names, and repository owners.

It was at pains to point out that no “user secrets, build artifacts, build logs, source code, or any other production data was accessed or exfiltrated during this incident”. Similarly, no authorisation data was accessed, or credit card or financial info.

And, perhaps most crucially depending on your point of view, “the attacker was not able to access any production data or any data related to authentication on CircleCI, your team should be able to continue to access and use our platform as usual.” 

However, because the exposed data included repo and branch names, “we advise your team to review for sensitive business information.”

While the unusual activity that triggered the investigation was spotted on August 31, CircleCI said it affected customers who accessed the platform from June 30 to the end of August.