Security vendor Rapid7 confirmed that “a small subset” of its source code repositories and some customer credentials and other data were accessed by an unauthorized party following a breach of code-testing company Codecov last month.
In an unsigned May 13 blog, the company said that following an internal investigation that included “validation” from an unnamed cybersecurity forensics firm, they determined that there was a “limited” impact on Rapid7’s network and customer data.
“A small subset of our source code repositories for internal tooling for our [managed detection and response] service was accessed by an unauthorized party outside of Rapid7,” the company said. “These repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers.”
The company said there is no evidence that other corporate systems or application production environments were accessed or tampered with and they have contacted all affected customers. The company plans to publish a blog post in the near future outlining “some of the techniques we used when responding to this incident in hopes that it will benefit others to handle this incident and incidents similar to it.”
As experts told SC Media immediately following disclosure of the breach, how each customer used Codecov – and whether they utilized the company’s platform simply to build and test their code or used it for code in production – could play a substantial role in their level of individual exposure. Rapid7 said they only for the former.
“Our use of Codecov’s Bash Uploader script was limited: it was set up on a single [continuous integration] server used to test and build some internal tooling for our Managed Detection and Response (MDR) service,” the company wrote. “We were not using Codecov on any CI server used for product code.”
When the breach was first disclosed, there were widespread concerns that the details of the attack, the nature of Codecov’s work and its self-reported 29,000-long customer list all pointed to a potential motive of supply chain compromise. Thus far a handful of other companies, including Twilio and HashiCorp, have publicly acknowledged they were impacted, with HashiCorp saying the attack exposed the private key they use to validate software updates to attackers (the key has since been switched out as a precaution.)
Still, it’s not clear how many Codecov customers may have been compromised and to what extent. In the immediate wake of the disclosure, companies like Atlassian – makers of Jira and a number of popular software development tools – rushed out statements to the press saying that they were not aware of any evidence that their systems were compromised. However, cybersecurity experts often caution that such investigations can take weeks or longer before a fuller picture emerges of the impact.
Following publication, Atlassian responded to questions from SC Media, confirming the company was among the affected customers initially notified by Codecov but that an internal investigation by the company hasn't turned up evidence of further compromise, but did not provide any further details.
"Though Atlassian uses Codecov tools within our environment for a small number of internal projects, our own investigation has concluded that our network and cloud products are not affected," a spokesperson wrote in an emailed response.