Security News > 2023 > January > CircleCI breach post-mortem: Attackers got in by stealing engineer’s session cookie
The attackers who pulled off the recent breach of continuous integration and continuous delivery platform maker CircleCI got in by compromising an engineer's laptop with malware, stealing their 2FA-backed SSO session cookie, and using it to impersonate the employee in a remote location.
"Because the targeted employee had privileges to generate production access tokens as part of the employee's regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys," CircleCI CTO Ron Zuber explained.
In the following days, the company continued to take actions to minimize the damage customers could experience due to this breach, but confirmed on Friday that fewer than 5 customers have informed them of unauthorized access to third-party systems as a result of this incident.
Work with Atlassian to rotate all Bitbucket tokens on behalf of customers.
Work with AWS to notify customers that their AWS tokens could have been compromised.
They have now also shared indicators for compromise to help customers with their own investigations.