Cyber Incident Victim: CloudBees
Date:
Jun 2019
Location:
Australia
Summary
A DevOps solutions provider experienced a data breach affecting its continuous integration and deployment system, CodeShip, after unauthorized access to a failover database instance over an extended period. The incident, detected following alerts about suspicious GitHub OAuth token activities, exposed sensitive pipeline data including scripts, environment variables, access tokens, and AES keys for Pro users. Additionally, hashed passwords, one-time password recovery details, and business invoicing information such as names, contact data, and tax identifiers were potentially compromised. While payment data and logging systems remained unaffected, the company revoked all related tokens and SSH keys, rotated internal secrets, rebuilt cloud infrastructure, and implemented enhanced security measures including stricter access controls and comprehensive security reviews.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The CloudBees data breach was discovered in 2020 after GitHub alerted the DevOps solutions provider to suspicious activities targeting business accounts connected through CodeShip's OAuth authentication tokens. This notification prompted CloudBees to revoke all GitHub-related tokens and SSH keys, requiring immediate user reauthentication to prevent service disruptions. Subsequent investigations revealed unauthorized access to a failover database instance spanning approximately one year, from June 2019 through June 2020. Attackers exploited this prolonged window to potentially access sensitive pipeline components across CodeShip Basic and Pro accounts. For Basic users, this included scripts, environment variables, and access tokens embedded within their CI/CD workflows. CodeShip Pro users faced additional exposure risks involving AES encryption keys used in their systems.
The compromise extended to authentication safeguards across all CodeShip accounts, with threat actors potentially obtaining hashed passwords, one-time password recovery codes, and OTP secret keys. CodeShip Pro customers also had business invoicing details exposed, encompassing names, contact information, VAT numbers, postal addresses, and phone numbers. CloudBees confirmed no payment systems or logging infrastructure were breached, emphasizing the incident's isolation to CodeShip products. Following containment measures, the company rotated internal application secrets, rebuilt AWS machine images, and initiated comprehensive security enhancements including systematic threat modeling, expanded access restrictions for production data, and improved segregation of sensitive information. Users received instructions to rotate pipeline keys, audit connected systems for unauthorized access, and verify repository code integrity.