On April 15 we were notified by Codecov that an attacker compromised their software, which we use as part of our development process to track our own test coverage of Diffblue’s software. We believe being transparent about security incidents helps build trust, so we’re writing this blog post to explain what happened, the customer impact (none) and how we responded.
The fact that an attacker modified Codecov’s product and we used it meant that the attacker could potentially access our source code and build environment—but nothing else. At no time was any customer or employee information at risk.
As soon as we received notice, we rotated/regenerated all the credentials and keys that are used as part of our software build processes or were accessible within the build environment. This stops any attacker from being able to use those keys/credentials for malicious purposes and blocks potential access to our code and build. We do this step first, before we investigate any further, because it’s critical to prevent any potential breach getting worse.
Next, we checked our logs and validated our source code and build systems looking for any evidence that an attacker had accessed our systems or altered anything in the source code or build environment. We found no evidence of that and we are confident that our software was not compromised.
As a precaution, we also regenerated the keys and certificates that we use to cryptographically sign our software for Mac, Windows and Linux operating systems and revoked the previous certificates. We have no evidence these were accessed or compromised, and these are stored in a separate key store outside the build system for additional security.
We have many security controls and processes in place to protect our information and that of our customers, and we choose suppliers with strong security controls and processes. Despite that, we cannot prevent all security incidents, so we aim to have rapid response that quickly blocks attacks, conducts a thorough investigation to determine the impact, and communicates transparently.
Please contact us if you have any further questions.