SWI

US investigators probing breach at San Francisco code testing company -firm

Credit: REUTERS/DADO RUVIC

U.S. federal investigators are probing an intrusion at San Francisco-based software auditing company Codecov that affected an unknown number of its 29,000 customers, the firm said, raising the specter of knock-on breaches at companies elsewhere.

By Raphael Satter

WASHINGTON, April 16 (Reuters) - U.S. federal investigators are probing an intrusion at San Francisco-based software auditing company Codecov that affected an unknown number of its 29,000 customers, the firm said, raising the specter of knock-on breaches at companies elsewhere.

Codecov said in a statement hackers began tampering with its software - which is used across the tech industry to help test code for mistakes and vulnerabilities - on Jan. 31. However, the intrusion was only detected earlier this month when an astute customer noticed there was something off about the tool, Codecov said.

Although the ramifications of the incident remain unclear, the breach drew comparisons to the recent compromise of Texas software firm SolarWinds SWI.N by alleged Russian hackers, both because the breach could have follow-on effects at many of the organizations that use Codecov and because of the length of time that the doctored software remained in circulation.

The company says on its website that it has 29,000 customers including consumer goods conglomerate Procter & Gamble Co, PG.N web hosting firm GoDaddy Inc, GDDY.N The Washington Post, and Australian software firm Atlassian Corporation PLC. TEAM.O

P&G, GoDaddy, The Post, and Atlassian did not immediately return messages seeking comment.

Codecov is used by "big enterprises, small companies and open source tools alike," said Dor Atias of Israeli source code protection firm Cycode.

Subverting Codecov means "you can get a lot of data from a lot of big companies," he said. "It's a huge deal."

Codecov said there was an ongoing federal investigation into the matter but declined to elaborate on its statement.

The Federal Bureau of Investigation and Department of Homeland Security's cybersecurity arm did not immediately return a messages seeking comment on Friday.

(Reporting by Raphael Satter; Editing by Lincoln Feast.)

((Raphael.Satter@thomsonreuters.com;))

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.

In This Story

SWI PG GDDY TEAM

Reuters

Reuters, the news and media division of Thomson Reuters, is the world’s largest international multimedia news provider reaching more than one billion people every day. Reuters provides trusted business, financial, national, and international news to professionals via Thomson Reuters desktops, the world's media organizations, and directly to consumers at Reuters.com and via Reuters TV.

Learn More