MD-2023-0124

Statement on MD-2023-0124 CircleCI Vulnerability

August 22, 2024

Information

An unauthorized third party leveraged malware deployed to a CircleCI engineer’s laptop in order to steal a valid, 2FA-backed SSO session. This machine was compromised on December 16, 2022. The malware was not detected by CircleCI antivirus software.

• More info at CircleCI Report

Severity

Low

Response

Melissa Data Corporation (“Melissa”) was not impacted by the CircleCI vulnerability as we do not utilize CircleCI for any Melissa commercial web services or products.

Melissa will continue to follow all guidance provided for this vulnerability as necessary to prevent any future risks.