Freshworks Update Regarding Codecov Incident
At Freshworks, we take the security and privacy of our customers’ data seriously and are committed to doing business with integrity and transparency. To that end, we want to provide information regarding our investigation and mitigation surrounding the industry-wide Codecov security event where an unknown attacker exploited a vulnerability in Codecov’s software. The vulnerability allowed the attacker to gain unauthorized access to private GitHub repositories of a significant number of companies, including Freshworks (information available at codecov.io/security-update/). Through such criminal access, the attackers had access to Freshworks’ generated credentials and our source code.
Upon learning of the impact of the Codecov security event on our GitHub repository, the Freshworks security team took immediate action to assess the ramifications of this incident and implement additional security measures to limit any additional impact—including engaging an industry-leading cyber forensics firm to conduct a parallel investigation.
Our investigation into this security event found that a limited amount of customer information, including some business contact information and customer credentials, may have been impacted as a result of this exposure. We found no evidence that sensitive data of our customers was exposed.
We have concluded the forensic investigation in collaboration with the cyber forensics firm that we retained; addressed identified Codecov vulnerabilities; and mitigated against potential exposure by:
- Identifying potentially exposed credentials and rotating them;
- Coordinating directly with impacted customers to inform them of the security incident and address concerns related to this security event;
- Analyzing available logs to determine whether there was any indication that any exposed information was leveraged to gain access to Freshworks systems; and
- Establishing enhanced monitoring of our environment and third-party systems or services to identify and respond to suspicious activity.
We will continue to provide updates if they are necessary. For further questions, please reach out to our customer support team at support@freshworks.com.
