[nrmitchi]

Between this and CircleCI, this sounds like a targeted credential-stuffing attack against accounts on Segment. If this is the case, it sounds like the only two cases that have been detected are Segment (detected on August 31st through unknown means), and CircleCI (detected on August 31st through an automated email).

Has the risk of of other Segment accounts having been compromised through the same channel (but have yet to be detected) been investigated?

[seanieb]

Was it Segment that CircleCI was referring to? https://support.circleci.com/hc/en-us/articles/360034852194-...

I hope not, since there's a 5 day gap between CircleCI being notified and the rest of their customers.

[nrmitchi]

Based on the wording, it's my belief that CircleCI was referring to Segment, but I have 0 inside information to confirm this.

Even if it was though, Circle discovered this issue on their own through an automated notification of an action taken; they do not seem to have been notified directly by Segment. It doesn't seem fair to assume that _if_ Circle is referring to Segment, that either company did anything wrong in their response here.

[philip1209]

It's possible that CircleCI was one of the 13 breached workspaces:

> For a small subset of customers (13), the unauthorized party was able to gain read-only access to their workspaces and click around in their accounts for up to a few minutes. These customers have been notified.