The software integration firm CircleCI is informing its clients a third-party analytics vendor suffered an incident exposing login information for their GitHub and Bitbucket accounts.
The company said in a statement it was informed of the breach on August 31, but affected customers who accessed the CircleCI platform starting June 30, 2019. The information compromised included usernames and email addresses associated with GitHub and Bitbucket and IP addresses and user agent strings. Additionally, organization name, repository URLs and names, branch names, and repository owners may have been accessed.
Other information in CircleCI’s possession was not involved.
“No CircleCI user secrets, build artifacts, build logs, source code, or any other production data was accessed or exfiltrated during this incident. No data used for authentication with CircleCI, such as auth tokens and password hashes, was accessed, nor was any credit card or financial information.
Once informed by the third-party vendor that the account had been breached CircleCI’s team disabled the account and removed the unauthorized user account within 15 minutes.
To prevent a similar event from happening in the future CircleCI is reviewing its policies for enforcing 2FA sign on for third-party accounts and transition to single sign-on (SSO) for all of our integrations.