Today’s data whoopsie is brought to you by CircleCI: Source safe, but look out for phishers
Software testing and delivery company CircleCI has apologised for exposing user data to the world and its dog.
The company blamed a third-party analytics provider for the leak, which it was told about at the end of August. CircleCI is a continuous integration/continuous delivery software pipeline for Microsoft, Linux, Docker and macOS developers.
In a statement, the outfit said: “On August 31st, we became aware of a security incident involving CircleCI and a third-party analytics vendor. An attacker was able to improperly access some user data in our vendor account, including usernames and email addresses associated with GitHub and Bitbucket, along with user IP addresses and user agent strings. The engineering and security teams at CircleCI immediately revoked the access of the compromised user and quickly launched an investigation.”
The company reassured users no source code, build logs or other production data was at risk. Nor was any authentication or password data lost. But the incident could affect any customers who used CircleCI’s platform between 30 July and 31 August – users should have been informed by email.
CircleCI said its security team was still working with its unnamed company to upgrade security and had also started work with an external forensics firm to consider additional measures.
It warned customers to be extra vigilant about phishing attempts that may be using their leaked email addresses.
We’ve contacted the company but they’re based in San Francisco, so probably haven’t yet got up to drink their artisan coffee.
Anyone worried should keep an eye on this page of CircleCI’s website where further updates are promised. ®
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/05/circleci_security_incident/