Federal officials are investigating a security breach at software audit firm Codecov, which apparently went undetected for months, Reuters reportedCodecov’s platform is used to test software code for vulnerabilities, and its 29,000 customers include Atlassian, Proctor & Gamble, GoDaddy, and the Washington Post.
In a statement on the company’s websiteCodecov’s CEO Jerrod Engelberg acknowledged the breach and the federal investigation, saying someone had accessed and modified his Bash Uploader script without the company’s permission.
“Our investigation found that as of January 31, 2021, there were periodic, unauthorized changes to our Bash Uploader script by a third party that could potentially allow them to export information stored in our users’ continuous integration (CI) environments,” Engelberg wrote. . “This information was then sent to a remote server outside Codecov’s infrastructure.”
According to Engelberg’s message, the modified version of the tool could have affected:
- Any login credentials, tokens or keys that our customers passed through their CI runner that would be accessible when the Bash Uploader script was running.
- All services, data stores and application code that can be accessed with these credentials, tokens or keys.
- The git remote information (URL of the original repository) of repositories that the Bash Uploaders use to upload coverage to Codecov in CI.
Although the breach happened in January, it wasn’t discovered until April 1, when a customer noticed something was wrong with the tool. “Immediately after becoming aware of the issue, Codecov secured and repaired the potentially affected script and began investigating the extent to which users might be affected,” Engelberg wrote.
Codecov does not know who was responsible for the hack, but has hired an outside forensic company to help determine how users were affected, and reported the matter to the police. The company emailed affected users, which Codecov did not mention, to notify them.
“We strongly recommend that affected users immediately reroll any of their credentials, tokens or keys that reside in the environment variables in their CI processes using one of Codecov’s Bash Uploaders,” added Engelberg.
While the scope of the Codecov breach remains unclear, Reuters notes that it could potentially have a similar, far-reaching impact to the SolarWinds hack at the end of last year. In that breach, hackers associated with the Russian government compromised SolarWinds’ monitoring and management software. About 250 entities are believed to have been affected by the SolarWinds breach, including Nvidia, Cisco and Belkin. Agencies of the United States Treasury, Commerce, State, Energy and Homeland Security were also affected.