The software integration firm CircleCI is informing its
clients a third-party analytics vendor suffered an incident exposing login
information for their GitHub and Bitbucket accounts.
The company said in a statement
it was informed of the breach on August 31, but affected customers who accessed
the CircleCI platform starting June 30, 2019. The information compromised
included usernames and email addresses associated with GitHub and Bitbucket and
IP addresses and user agent strings. Additionally, organization name,
repository URLs and names, branch names, and repository owners may have been
Other information in CircleCI’s possession was not involved.
“No CircleCI user secrets, build artifacts, build logs,
source code, or any other production data was accessed or exfiltrated during
this incident. No data used for authentication with CircleCI, such as auth tokens
and password hashes, was accessed, nor was any credit card or financial
Once informed by the third-party vendor that the account had
been breached CircleCI’s team disabled the account and removed the unauthorized
user account within 15 minutes.
To prevent a similar event from happening in the future
CircleCI is reviewing its policies for enforcing 2FA sign on for third-party
accounts and transition to single sign-on (SSO) for all of our integrations.