CircleCi has announced that the malware-fueled grand theft data it has been investigating was indeed the cause of a recent security incident.

In a blog post, the company detailed the recent incident, the steps it took to mitigate the damage, and the measures it will take going forward to ensure the security of its users.

The blog post claims that a high-level employee’s laptop was infected with token-stealing malware, allowing the hackers full access to the system.

Taking information for weeks at a time

Despite the presence of antivirus software, the malware apparently proceeded to run on the endpoint. The tool was used by the hackers to steal the user’s session tokens, which allowed them to stay logged into various services.

Some apps store session tokens that let users stay logged in for extended periods of time after they’ve logged in, even if they logged in with a password and a multi-factor authentication (MFA) tool. That is to say, the attackers were able to circumvent the company’s multi-factor authentication (MFA) system by stealing session tokens.

All that was needed after that to compromise private information was access to the appropriate production systems.

This blog post explains that the unauthorised third party gained access to and exfiltrated data from a subset of databases and stores, including customer environment variables, tokens, and keys, because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties.

It is estimated that the threat actors were lurking around CircleCI’s infrastructure from December 16, 2022, to January 4, 2023, a span of about three weeks.

Data encryption didn’t help much because the attackers also got the encryption keys.

Customers who have not yet taken any measures to protect their accounts from being hacked on third-party sites or services are urged to do so in the final paragraph of the blog post.

Customers were urged by CircleCi to periodically change any sensitive information they had stored with the company. “These can be kept in contexts or other project environment variables.”