Confluent Update Regarding Codecov Incident

Our team was recently notified of unauthorized read-only access to Confluent’s GitHub account stemming from the recent Codecov incident (more information here). The security of our customers and their data is critically important to us, and upon learning of this Codecov breach, our security team took immediate action to assess the ramifications of this incident and implement additional security measures to limit any further impact—including engaging with an industry-leading cyber forensics team to conduct a full-scale investigation and contacting law enforcement.

Our investigation remains ongoing, but here is what we have learned so far:

• The attackers leveraged a vulnerability in Codecov’s software to gain unauthorized read-only access to our private Github repositories, including our source code.
• This seems to be part of a pattern of widespread attacks orchestrated through Codecov and impacting 1,000+ of their customers.
• Importantly, this attack was not the result of a vulnerability in Confluent Platform or Confluent Cloud.
• Though the investigation is ongoing, we have not found any evidence of attempted attacks on Confluent Platform or Confluent Cloud, or access to any customer data sent through or stored in either.
• We have uncovered references to certain customers and customer-related documents that were stored in GitHub, and have reached out to affected customers.

With regards to the corrective measures we have taken so far, we have:

• Revoked Codecov’s access and discontinued use of the service;
• Rotated all of our credentials exposed by the Codecov compromise to prevent further unauthorized access;
• Analyzed available logs to ensure that exposed credentials were not leveraged to gain access to Confluent systems;
• Enhanced monitoring of our environment to identify and respond to suspicious activity;
• While we have no indication that the GPG signing key used to assure the integrity of Confluent Platform was compromised, we are proactively rotating this key out of an abundance of caution. Customers can find more information about this change here.

Confluent has a robust security program that includes assessing the security of our vendors, proactively scanning our source code for vulnerabilities such as hard-coded credentials, and proactive monitoring for suspicious activity in our cloud environments that helps minimize the risk of these types of incidents.

We approach matters such as this with the utmost seriousness. Regardless of what tools are involved or at fault, we ultimately hold ourselves accountable for the security of our customers and the data they entrust us with. We continue to work around the clock to gather additional information and limit the impact of this incident on our systems and our customers. We will continue to provide updates as new information becomes available.