Earlier today (April 15, 2022), Travis CI personnel were informed that certain private customer repositories may have been accessed by an individual who used a man-in-the-middle 2FA attack, leveraging a third-party integration token. Immediately upon learning this information, Travis CI revoked all auth keys and tokens preventing any further access to our systems. No customer data is exposed presently and no further access is possible.
We are not aware of any particular report that any actual customer data was accessed. We are cooperating with GitHub to ensure all data is secured and all issues are resolved.
Update today (April 18, 2022), Security Bulletin Update
On April 15, 2022, Travis CI personnel learned that a hacker breached a Heroku service and accessed a private application OAuth key used to integrate the Heroku and Travis CI applications. This key does not provide access to any Travis CI customer repositories or any Travis CI customer data.
We thoroughly investigated this issue and found no evidence of intrusion into a private customer repository (i.e. source code) as the OAuth key stolen in the Heroku attack does not provide that type of access. Based on what we have found, we do not believe this is an issue or risk to our customers.
Out of an abundance of caution, Travis CI revoked and reissued all private customer auth keys and tokens integrating Travis CI with GitHub to ensure no customer data is compromised.
Please contact Travis CI customer support with any questions or concerns. We will continue to review and monitor.