False CircleCI accounts are stealing access to GitHub accounts

Both CircleCI and GitHub have confirmed that cybercriminals are posing as the service in an attempt to gain unauthorised access to user accounts.

The two companies claim that hackers are currently spreading a phishing email that pretends to come from the CircleCI continuous integration and delivery platform.

The email alerts GitHub users that CircleCI’s user terms and privacy policy have changed and that they must log in to their GitHub accounts to accept the new terms.

A word of caution from GitHub

A link to “accept” the modifications is provided, as one might expect, at the email’s footer. Those who do so expose themselves to the risk of having their GitHub account credentials and two-factor authentication codes stolen, as the attackers will likely transmit this information via reverse proxies. Users who have hardware security keys are safe.

While GitHub was not a target of the attack, “many victim organisations” were, the company warned.

Threats from a wide variety of directions

CircleCI has also issued a warning on its forums about the ongoing attack and emphasised that it would never require users to log in with credentials in order to see ToS updates.

In a statement, CircleCI emphasised that its emails should only contain links to circleci.com or its sub-domains.

A number of domains have been identified as sources of the phishing emails:

  • circle-ci[.]com
  • emails-circleci[.]com
  • circle-cl[.]com
  • email-circleci[.]com

If the attackers are successful in gaining access to a GitHub developer account (opens in new tab), they will proceed to create personal access tokens (PATs), authorise OAuth apps, and even add SSH keys to the account to ensure that they retain access even if the account owners change the password.

Afterwards, GitHub said, they’ll access information from non-public repositories. Since then, the business has disabled numerous accounts that were found to be compromised. The passwords of all users who could have been affected have been reset.