Type
Incident
Actors
Pub. date
January 4, 2023
Initial access
End-user compromise
Impact
Supply chain attack
Observed techniques
References
https://circleci.com/blog/jan-4-2023-incident-report/https://circleci.com/blog/january-4-2023-security-alert/https://grafana.com/blog/2023/01/12/grafana-labs-update-regarding-circleci-security-updates/https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guidehttps://thecyberwire.com/podcasts/microsoft-threat-intelligence/10/notes
Status
Finalized
Last edited
Jun 2, 2024 11:53 AM
On December 29, 2022, CircleCI's security team were alerted to suspicious activity on one of their customer's GitHub OAuth tokens. The team then rotated all GitHub OAuth tokens on December 31, 2022 as a precautionary measure. By January 4, 2023, CircleCI's internal investigation revealed that an unauthorized third party had used malware on an engineer's laptop to steal a valid, 2FA-backed SSO session, which then enabled them to access and exfiltrate data from a subset of databases and stores.