U.S. federal investigators are reportedly investigating a security breach in software auditing company Codecov that affected an unknown number of its 29,000 customers, the firm said, raising the specter of knock-on breaches at companies elsewhere.
Codecov’s platform is used to test software code for vulnerabilities, and its 29,000 clients include Atlassian, Proctor & Gamble, GoDaddy, and the Washington Post.
In a statement on the company’s website, Codecov CEO Jerrod Engelberg acknowledged the breach and the federal investigation, saying someone had gained access to its Bash Uploader script and modified it without the company’s permission.
Engelberg wrote: “Our investigation has determined that beginning January 31, 2021, there were periodic, unauthorized alterations of our Bash Uploader script by a third party, which enabled them to potentially export information stored in our users’ continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure.”
Although the breach occurred in January, it was not discovered until April 1st, when a customer noticed something was wrong with the tool. “Immediately upon becoming aware of the issue, Codecov secured and remediated the potentially affected script and began investigating the extent to which users may have been impacted,” Engelberg wrote.
Codecov does not know who was responsible for the hack, but has hired a third-party forensics company to help it determine how users were affected, and reported the matter to law enforcement. The company emailed affected users, who Codecov did not name, to notify them.
“We strongly recommend affected users immediately re-roll all of their credentials, tokens, or keys located in the environment variables in their CI processes that used one of Codecov’s Bash Uploaders,” Engelberg added.