Security News > 2023 > January > CircleCI's hack caused by malware stealing engineer's 2FA-backed session
Hackers breached CircleCi in December after an engineer became infected with information-stealing malware that their 2FA-backed SSO session cookie, allowing access to the company's internal systems.
In a new security incident report on the attack, CircleCi says they first learned of the unauthorized access to their systems after a customer reported that their GitHub OAuth token had been compromised.
"Our investigation indicates that the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems," explains CircleCi's new incident report.
Using the engineer's privileges, CircleCi says the hacker began stealing data on December 22nd from some of the company's databases and stores, including customer's environment variables, tokens, and keys.
In response to the attack, CircleCi says they rotated all tokens associated with their customers, including Project API Tokens, Personal API Tokens, and GitHub OAuth tokens.
To further strengthen their infrastructure, CircleCi says they added further detections for the behavior exhibited by the information-stealing malware to their antivirus and mobile device management systems.