Malware on One Laptop Gave Attackers a Way Into CircleCI's Production Systems
On December 16th, 2022, malware landed on the laptop of a CircleCI engineer. CircleCI's antivirus software didn't catch it. Three days later, the malware stole a session cookie that was already authenticated past two-factor authentication -- and an attacker used it to impersonate that engineer from a remote location. Because the employee's job included generating production access tokens, the attacker could too. It took a customer's bug report, not CircleCI's own monitoring, to surface the breach.
days the malware went undetected: 13
laptop compromised: Dec 16, 2022
customers reporting downstream compromise: < 5
+1
public incident report published: Jan 13, 2023