CircleCi, a software business well-liked among developers and software engineers, has disclosed a data breach involving some of its clients.

Although the employee’s access to the affected apps was secured by two-factor authentication, the business claimed in a comprehensive blog post on Friday that it had determined the intruder’s original point of entry was an employee’s laptop that had been infiltrated with malware.

After the breach was discovered, the corporation blamed a “systems failure” and admitted that anti-virus software had missed the token-stealing malware on the worker’s laptop.

Through the usage of session tokens, a user is able to remain signed in without repeatedly typing their password or approving using two-factor authentication. However, if an intruder obtains the account holder’s session token, they will have the same privileges as the account holder, without having the account holder’s password or two-factor code. As a result, it may be difficult to tell the difference between a legitimate account holder’s session token and one that was stolen by a hacker.

According to CircleCi, the fraudsters were able to impersonate the employee after stealing the session token and access some of the company’s production systems that house client data.

Rob Zuber, the company’s CTO, explained that the unauthorised third party gained access to and exfiltrated data from a subset of databases and stores, including customer environment variables, tokens, and keys, because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties. According to Zuber, the intruders were able to access the system between December 16 and January 4.

According to Zuber, even though customers’ information was encrypted, hackers were able to get the keys needed to decode it. If you haven’t already, Zuber recommends that you change your passwords for all of your third-party accounts.

According to Zuber, many clients have reported that their systems have been breached.

The investigation follows a warning from the firm a few days before, in which it urged users to change “any and all secrets” kept on the platform out of concern that hackers could have gained access to source code or other confidential information.

According to Zuber, CircleCi workers who still have access to production systems “have introduced extra step-up authentication processes and restrictions” to avoid a recurrence, most likely via the use of hardware security keys.

The token theft on an employee’s laptop is similar to the first point of access used in the attack of password management company LastPass, which similarly included an intruder targeting an employee’s computer; however, it is unclear whether or not these two cases are related. LastPass users’ encrypted password vaults were compromised, the company announced in December. According to LastPass, the hackers gained access to LastPass’ internal development environment after first compromising an employee’s device and account credentials.