> We are writing to inform you of a recent security incident that affects your organization.
What happened:
On August 31st, the CircleCI team received an automated email from a third party vendor notifying us that a database had been added as a destination for CircleCI’s site analytics data. Our team had not added such a database, so this notification was quickly followed up by an investigation, revealing that site analytics data on this vendor account from the previous two months was accessed by an unauthorized attacker. The compromised data includes information such as usernames and email addresses associated with GitHub and Bitbucket. The attacker did not access users’ passwords, auth tokens, source code, or any other production data during the incident.
What we are doing to resolve the issue:
On August 31st, upon detecting the unauthorized access to our vendor account, the compromised user account was immediately removed from the tool. Our security team then reached out to the third-party vendor to collaborate further on an investigation and disable the account used by the attacker. CircleCI is continuing to collaborate with the third-party vendor on remediation efforts and we have made it a top priority to prevent this type of event from happening in the future.
What kind of user data was affected?
Based on what we have learned, some user data was exposed, including usernames and email addresses associated with GitHub and Bitbucket, along with user IP addresses and user agent strings. Additional information that was exposed in the incident may include organization name, repository URLs and names, branch names, and repository owners.
We can confirm that absolutely no CircleCI user secrets, build artifacts, source code, or any other production data was accessed or exfiltrated during this incident. We can also confirm that no credit card or financial information was ever accessed by the attacker.
Our investigation has shown that the exfiltrated data is limited to site analytics related to UI experiments and marketing campaigns - we have confirmed that no data on the CircleCI platform, including data used for authentication with CircleCI such as auth tokens or password hashes was compromised.
Where to learn more:
We will update this incident FAQ page with more information as we continue our investigation into this incident.
We take security incredibly seriously at CircleCI. While perfect security is an impossible goal, we promise to do better. We sincerely apologize for this incident, and any distress it may cause you or your team. We plan to use this incident to improve our security and audit standards moving forward, and we hope to earn your continued trust and support.
1 comment
[ 2.6 ms ] story [ 14.4 ms ] thread> We are writing to inform you of a recent security incident that affects your organization.
What happened:
On August 31st, the CircleCI team received an automated email from a third party vendor notifying us that a database had been added as a destination for CircleCI’s site analytics data. Our team had not added such a database, so this notification was quickly followed up by an investigation, revealing that site analytics data on this vendor account from the previous two months was accessed by an unauthorized attacker. The compromised data includes information such as usernames and email addresses associated with GitHub and Bitbucket. The attacker did not access users’ passwords, auth tokens, source code, or any other production data during the incident.
What we are doing to resolve the issue:
On August 31st, upon detecting the unauthorized access to our vendor account, the compromised user account was immediately removed from the tool. Our security team then reached out to the third-party vendor to collaborate further on an investigation and disable the account used by the attacker. CircleCI is continuing to collaborate with the third-party vendor on remediation efforts and we have made it a top priority to prevent this type of event from happening in the future.
What kind of user data was affected?
Based on what we have learned, some user data was exposed, including usernames and email addresses associated with GitHub and Bitbucket, along with user IP addresses and user agent strings. Additional information that was exposed in the incident may include organization name, repository URLs and names, branch names, and repository owners.
We can confirm that absolutely no CircleCI user secrets, build artifacts, source code, or any other production data was accessed or exfiltrated during this incident. We can also confirm that no credit card or financial information was ever accessed by the attacker.
Our investigation has shown that the exfiltrated data is limited to site analytics related to UI experiments and marketing campaigns - we have confirmed that no data on the CircleCI platform, including data used for authentication with CircleCI such as auth tokens or password hashes was compromised.
Where to learn more:
We will update this incident FAQ page with more information as we continue our investigation into this incident.
We take security incredibly seriously at CircleCI. While perfect security is an impossible goal, we promise to do better. We sincerely apologize for this incident, and any distress it may cause you or your team. We plan to use this incident to improve our security and audit standards moving forward, and we hope to earn your continued trust and support.
-The CircleCI Security Team