In late April 2021, software code testing company Codecov announced a data breach that affected an unspecified portion of its 29,000 customers. Federal investigators are now looking into the security incident.
Reuters reports that hackers tampered with Codecov’s Bash Uploader script in January, potentially giving them access to the credentials of its customers’ continuous integration (CI) environments. These credentials can include passwords, tokens and keys that give hackers access to data on servers or services.
The scope of the breach
It’s important to know the scope of any security breach as soon as possible so that you can minimize damage. To do this, you need to conduct a thorough investigation of the incident and determine what data was stolen or compromised.
Despite the fact that companies have to be alert and aware of breaches, many still struggle with assessing the scope of security threats. This can be caused by several factors, including lack of resources and a lack of preparedness.
In order to avoid this, companies should start implementing security measures before a data breach happens. These include identifying assets and conducting regular asset inventories, running tabletop simulation exercises, and monitoring employee access to company information.
The company’s customers
The 29k aprilsatterreuters named San Francisco software firm Codecov, is a household name among techies. Among its 29,000 customers are some of the industry’s most well known companies. Its products and services are used by some of the world’s biggest firms as well as small and medium sized businesses looking to get a leg up on their competition. Its newest addition to the fold is a mobile app that aims to bring the cloud to your smartphone and tablet. The company is the brainchild of former Facebook exec and ex-Google executive Dana Goldstein and has a staff of about 100. Its offerings are a bit of a mish mash, including a bare bones code reviewing service and a more comprehensive platform that includes software testing and cloud hosting.
The company’s response
Codecov 29k aprilsatterreuters was notified of the breach on April 1 and fixed the issue within days. They also notified their customers, sending them email and a banner in the application to inform them of the supply chain attack.
The hackers accessed the Bash Uploader script, which is used by Codecov to allow users to upload their files into its continuous integration environment. They also accessed environment variables like the current working directory, PATH variable and API keys and identifiers.
In addition, customers’ security credentials that were passed through the CI runner executing the Bash Uploader script could be exposed. This includes services, datastores and applications that were linked to these credentials.
This breach is considered a supply chain attack because it involves compromising Codecov’s servers. As such, it could impact other companies who use Codecov as a tool to check their software code for errors and vulnerabilities.
The government’s response
A flurry of press releases and media coverage has been churning out the details since the breach was first announced. A number of the big wigs have stepped up to the plate. The US government in particular has been a busy little bee. Its e-commerce and cybersecurity teams are on the case, putting the blame squarely where it belongs – on those that chose to ignore it. As for the actual damage incurred, it is too early to tell what was hacked and what wasn’t. The good news is that Codecov has been able to put the bad guys behind bars and restore service to those who weren’t.