Users of CloudBees' CodeShip are advised to immediately rotate any keys and other secrets in their pipelines after the DevOps solutions provider discovered a long-lasting data breach affecting the continuous integration and deployment (CI/CD) system.
The data breach came to light after open source code repository Github alerted CloudBees to suspicious activities against business accounts connected via the CodeShip app OAuth authentication tokes.
Cloudbees revoked all Github related tokens and secure shell (SSH) keys upon learning of the suspicious activity, requiring users to reauthenticate CodeShip with the code repositoriy provider immediately to avoid service outage.
Further investigation by Cloudbees revealed that an attacker had accessed a failover database instance between June 2019 and June 2020, after which the malicious activity is believed to have stopped, the company's chief executive Sacha Labourey said.
CodeShip Basic account hoiders may have had all information stored in their pipelines exposed, including scripts, environment variables, access tokens and similar data, Cloudbees said.
Advanced Encryption Standard (AES) keys for CodeShip Pro users may have been exposed too.
All CodeShip users' hashed account passwords, one-time password recovery codes and OTP secret keys could have been accessed by the threat actors.
Furthermore, CodeShip Pro user data such as business invoicing information comprising names and contact details and value-added tax numbers, postal addresses and phone numbers may have been exposed as well.
No payments data or logging system were accessed for any customers, and Cloudbees said the data breach only affects CodeShip and no other products.
CodeShip users should rotate keys and other secrets used in their pipelines immediately, Cloudbees advised.
They should also review if any systems accessible via CodeShip have been subject to unauthorised access, and verify the integrity of source code in repositories linked to their accounts.
Labourey said Cloudbees has rotated all application internal secrets and rebuilt its Amazon Web Services machine images.
Cloudbees is also tighten up security for CodeShip with systematically implemented product threat modelling and large-scope security reviews, and enhance strict restrictions for access to production data and the segregation of sensitive information.
