Cisco confirms attackers stole data from DevHub environment

Cisco confirmed an attacker recently stole data from a public-facing DevHub environment that contained software code and scripts and published some information online.

In a security advisory Friday, Cisco provided an update to an ongoing investigation that began Oct. 15 after the vendor received reports that an unauthorized actor gained access to Cisco data. While Cisco said it is "confident" its systems were not breached, the attacker did obtain data from a public-facing DevHub environment.

Subsequently, Cisco disabled public access to the portal "out of an abundance of caution" and said it will notify customers if the investigation determines anyone was affected.

"At this stage in our investigation, we have determined that a small number of files that were not authorized for public download may have been published," Cisco wrote in the advisory.

As of Friday, Cisco said published information did not include confidential data such as sensitive personally identifiable information or financial data. Cisco said the affected DevHub environment contained software code, scripts and more as well as that it was used as a resource center for customers.

Cisco started the investigation after a user on a well-known dark web hacking forum under the alias "IntelBroker" claimed responsibility for a recent breach against the technology conglomerate. IntelBroker alleged that compromised data for sale included hard-coded credentials, Cisco confidential documents, API tokens, GitHub projects, Amazon Web Services private buckets, private and public keys, and SSL certificates. IntelBroker also claimed the breach affected major companies including Verizon, AT&T and Bank of America.

Security vendor DarkEye reported IntelBroker's claims on X, formerly Twitter, on Monday. DarkEye warned the breach posed a "serious threat to global corporate cybersecurity."

Major Cisco Data Breach Exposed!
Date: 2024-10-14
Affected Country: USA
Incident Summary: Hackers IntelBroker, EnergyWeaponUser, and zjj are allegedly selling a large amount of sensitive data from Cisco, including source code, hardcoded credentials, certificates,… pic.twitter.com/TITKqmLafG

— DarkEye (@darkeye_team) October 15, 2024

On Friday, in a post on X, IntelBroker claimed Cisco revoked its access to the DevHub environment.

TechTarget Editorial contacted Cisco to clarify what types of data the attacker obtained. The vendor referred to Friday's security advisory.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.