Today, Apr 15th, we became aware of a serious security incident at one of our developer partners called codecov.io. We're using codecov to determine the test coverage of our code in order to improve our code and product quality. More details about the breach on their site: https://about.codecov.io/security-update/
What does this mean for Gorgias customers?
TLDR: To the best of our knowledge we have not detected any unauthorized access to our systems. If we detect any unauthorized access will let you know as soon as possible.
We are still investigating the extent of this breach, but our preliminary investigation reveals that only our Continuous Integration (CI) system together with the credentials present in that system was affected. As soon as we became aware of this breach we immediately began rotation of our credentials used in the CI system. Once we confirmed that we rotated all credentials, we began investigating what those credentials could have been used for and began looking at the audit logs of all affected systems. To the best of our knowledge and ability we have not detected any unauthorized access to our systems. Additionally, the customer data (in our databases) including PII is protected by a firewall that allows connections only from an allowlist so even if our credentials have been leaked it is unlikely that the attackers gained access to our systems. Due to overabundance of caution we rotated affected credentials anyway and will continue rotating all credentials, including those that we don't think were affected by the CI breach.
Could we have done a better job?
Yes, we should have added a checksum check of the uploader script that codecov was providing and a detailed security audit of that said script. Due to lack of time and attention to detail I didn't do that. This is my (Alex) fault and I'm assuming all responsibility for this lack of attention. Even if codecov claims that they are no longer compromised, we've removed all access from Codecov to Gorgias resources at least temporarily. Additionally we began an internal audit of all CI related tools and we're aiming to identify if there are similar gaps in our systems and fix them.
Do Gorgias customers need to do something?
No, this announcement is part of our disclosure policy: https://www.gorgias.com/security
- thank you for trusting Gorgias with your data.
We're continuing the rotation of credentials until we are reasonability certain that they are not compromised. I'll post an update here when it's done.
Thank you for your understanding. For additional questions feel free to reach out to our support: firstname.lastname@example.org
Alex Plugaru, CTO & cofounder of Gorgias.
Apr 15, 14:06 PDT