CircleCI, a vendor specializing in CI/CD and DevOps tools, confirmed that some customer data was stolen in a data breach last month. The trigger to the investigation was a compromised GitHub OAuth token, which has been a popular attack vector that attackers leverage in the past few months, like many other breaches of developer-focused SaaS applications that the Valence Security Threat Labs team has discussed. Based on the investigation by the CircleCI team, the attackers were able to steal a valid session token of a CircleCI engineer, which allowed them to bypass the two-factor authentication protection and gain unauthorized access to production systems. The attacker was able to steal customer variables, tokens, and keys.
In this blog post, CircleCI recommends their customers to rotate their secrets, including OAuth tokens, Project API Tokens, SSH keys, and more.
Ensuring proper management of SaaS security risks such as ungoverned SaaS-to-SaaS third-party integrations like OAuth keys, API tokens, etc. is key to protect critical organizational data. Implementing a SaaS security solution like Valence can be useful in continuously monitoring for SaaS misconfigurations and misuse as well as right-sizing privileges of both human and non-human identities.