Breach, Data Security

Rapid7: Attackers got ‘limited access’ to source code, customer data after Codecov breach

A view of the entrance into the Rapid7 offices. (Rapid7)

Security vendor Rapid7 confirmed that “a small subset” of its source code repositories and some customer credentials and other data were accessed by an unauthorized party following a breach of code-testing company Codecov last month.

In an unsigned May 13 blog, the company said that following an internal investigation that included “validation” from an unnamed cybersecurity forensics firm, they determined that there was a “limited” impact on Rapid7’s network and customer data.

“A small subset of our source code repositories for internal tooling for our [managed detection and response] service was accessed by an unauthorized party outside of Rapid7,” the company said. “These repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers.”

The company said there is no evidence that other corporate systems or application production environments were accessed or tampered with and they have contacted all affected customers. The company plans to publish a blog post in the near future outlining “some of the techniques we used when responding to this incident in hopes that it will benefit others to handle this incident and incidents similar to it.”

As experts told SC Media immediately following disclosure of the breach, how each customer used Codecov – and whether they utilized the company’s platform simply to build and test their code or used it for code in production – could play a substantial role in their level of individual exposure. Rapid7 said they only for the former.

“Our use of Codecov’s Bash Uploader script was limited: it was set up on a single [continuous integration] server used to test and build some internal tooling for our Managed Detection and Response (MDR) service,” the company wrote. “We were not using Codecov on any CI server used for product code.”

When the breach was first disclosed, there were widespread concerns that the details of the attack, the nature of Codecov’s work and its self-reported 29,000-long customer list all pointed to a potential motive of supply chain compromise. Thus far a handful of other companies, including Twilio and HashiCorp, have publicly acknowledged they were impacted, with HashiCorp saying the attack exposed the private key they use to validate software updates to attackers (the key has since been switched out as a precaution.)

Still, it’s not clear how many Codecov customers may have been compromised and to what extent. In the immediate wake of the disclosure, companies like Atlassian – makers of Jira and a number of popular software development tools – rushed out statements to the press saying that they were not aware of any evidence that their systems were compromised. However, cybersecurity experts often caution that such investigations can take weeks or longer before a fuller picture emerges of the impact.

Following publication, Atlassian responded to questions from SC Media, confirming the company was among the affected customers initially notified by Codecov but that an internal investigation by the company hasn't turned up evidence of further compromise, but did not provide any further details.

"Though Atlassian uses Codecov tools within our environment for a small number of internal projects, our own investigation has concluded that our network and cloud products are not affected," a spokesperson wrote in an emailed response.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.