On Apr 15th, we became aware of a serious security incident at one of our developer partners called codecov.io. We're using codecov to determine the test coverage of our code in order to improve our code and product quality. More details about the breach on their site: https://about.codecov.io/security-update/
TLDR: To the best of our knowledge we have not detected any unauthorized access to our systems and data. If we detect any unauthorized access will let you know as soon as possible.
We are still investigating the extent of this breach, but our investigation reveals that our Continuous Integration (CI) system and Version Control System (VCS) together with the credentials present in these systems were affected.
As soon as we became aware of this breach we immediately began rotation of our credentials used in the CI system. Once we confirmed that we rotated all credentials, we began investigating what those credentials could have been used for and began looking at the audit logs of all affected systems.
Again, to the best of our knowledge and ability we have not detected any unauthorized access to our systems. Additionally, the customer data (in our databases) including PII is protected by a firewall that allows connections only from a vetted list of IP addresses so even if our credentials have been leaked it is unlikely that the attackers gained access to our systems. Due to overabundance of caution we rotated affected credentials anyway and will continue rotating all credentials, including those that we don't think were affected by the CI breach.
Yes, we typically try not to hold any secrets in our code, but we need to do it we store them in an AES-256 encrypted format. Every decryption event for these secrets is logged with our cloud provider and we haven’t detected any authorized access to them. As a precaution we’ll still rotate them, but there is little chance of compromise there.
Yes, we should have added a checksum check of the uploader script that codecov was providing and a detailed security audit of that said script. Due to lack of time and attention to detail I didn't do that. This is my (Alex) fault and I'm assuming all responsibility for this lack of attention. Even if codecov claims that they are no longer compromised, we've removed all access from Codecov to Gorgias resources at least temporarily. Additionally we began an internal audit of all CI related tools and we're aiming to identify if there are similar gaps in our systems and fix them.
No, this announcement is part of our disclosure policy: https://www.gorgias.com/security - thank you for trusting Gorgias with your data.
We're continuing the rotation of credentials until we are reasonability certain that they are not compromised. This will take a lot of work from the entire team and may result in a series of maintenance downtimes. Thank you for your understanding - the security of your data is a top priority.
For additional questions feel free to reach out to our support: email@example.com
Alex Plugaru, CTO & cofounder of Gorgias.