Later that day, we rotated all credentials that had been present in the environment configuration of the 2 repos on Travis CI, where the Bash Uploader script had been invoked. These credentials consisted of:
• a GitHub access token associated with a read-only robot user
• a robot user password for pushing Docker images to Quay.io
• a robot user password for deploying apps on Aptible Deploy
We audited all access on Aptible Deploy and Quay, and confirmed the compromised robot user passwords were not used in either service. On April 22, with assistance from GitHub, we identified that the GitHub token *was* used to download several repos. We audited all credentials and confidential data contained within these repos. Importantly, no customer-owned data are stored in any of our code repos, and no customer-owned data were accessed or impacted by this incident.
At this time, the only potentially compromised data is a list of companies (not individual users) who use Aptible Deploy and/or Comply. No sensitive or regulated information had been committed to the downloaded repos at any time. We will provide updates if we discover any new information, but based on our investigation thus far, we are resolving this incident.
• Edited April 29 to clarify that no customer-owned data were impacted by this incident