Rollbar might be good at tracking bugs, uninvited guests not so much

Cloud-based bug tracking and monitoring platform Rollbar has warned users that attackers have rifled through their data.

Troy Hunt, creator of the Have I Been Pwned site, posted a message from Rollbar CEO Brian Rue confirming the breach and the actions taken by the company upon its discovery.

According to the post, Rollbar noticed something amiss in its data warehouse query logs on September 6. Further analysis showed that miscreants had been in the system between August 9 and 11. The initial attack vector was a cloud platform service account that only had access to the data warehouse.

Rollbar noted that the attackers first tried to fire up compute resources – commonly used by criminals to mine Bitcoin or launch other attacks – and when that failed due to a lack of permission, the attackers began hunting through the data warehouse.

The target appeared to be Bitcoin wallets or other cloud credentials. However, the cyber baddies could also access account information, including usernames and email addresses, account names and project information.

• Airbus suffers data leak turbulence to cybercrooks' delight
• Cloud infrastructure security is having an identity crisis. Can CIEM help?
• Capita class action: 2,000 folks affected by data theft sign up
• Ransomware attack hits Sri Lanka government, causing data loss

As well as notifying users, Rollbar has also expired project access tokens with "read" or "write" scope – these could allow access to project data and will expire access tokens with "post_server_item" scope in 30 days. While the latter tokens do not permit data to be read, they could allow data to be sent into a project.

Rollbar claims to have 400 million monthly active application end users covered. It also claims to have caught over 1 billion unique errors and processes 150 million occurrences daily. Its customers include Salesforce and Duolingo.

The Register has contacted Rollbar for additional comment and will update should any be forthcoming.

There was no indication of how attackers gained access to the cloud platform service account, only the actions taken when Rollbar became aware of the nefarious activity within its data warehouse.

A gap of nearly a month between the intrusion and Rollbar becoming aware of it is worrying but not unusual. It is an indicator of the issues faced by enterprises when spotting malicious behavior. ®

Updated to add statement:

Rollbar said in a statement: "A third party gained unauthorized access to our data warehouse. Rollbar project access tokens were exposed. We have already expired all read/write scope tokens. If you use the Rollbar API via a read/write token (like reading the Metrics API or updating item statuses), you must rotate those."

It added: "We will expire all post_server_item tokens on Oct 10, 2023 12:00 am UTC, if you use Rollbar via a server-side language, like Ruby, PHP, Python, Node.js, Go, Java, or .NET, you will need to rotate those tokens. We've released a new tool to make this easier in our project settings."