We take data security extremely seriously, and we believe it is important to be transparent and accountable. As part of those commitments, we are sharing information about a vendor security incident we are currently investigating.
Codecov, a third-party SaaS provider of software code testing, discovered a security vulnerability in their software that was exploited by an attacker and affected potentially hundreds of companies using their services, including monday.com. This incident was not the result of a vulnerability in monday.com’s environment.
Upon learning of this issue, we took immediate mitigation steps, including revoking Codecov access, discontinuing our use of Codecov’s service, rotating keys for all of monday.com’s production and development environments, and retaining leading cybersecurity forensic experts to assist with our investigation. Codecov recently provided specific information and indicators that enabled us to deepen our investigation.
While our investigation is ongoing, based on our findings to date, we have not seen any indication that customer data processed by monday.com was affected by this incident or accessed by the attacker. The attacker did access a file containing a list of certain URLs pointing to publicly broadcasted customer forms/views hosted on monday.com. We have contacted the relevant customers to inform them how to regenerate these URLs.
While we have seen evidence that our source code was accessed due to the Codecov vulnerability, to date, we have found no evidence of any unauthorized modifications to our source code, or any impact on our products.
Our mission is to empower teams to work together, and we value the trust our customers place in us to help them do that. Protecting our customers and their data is our top priority. We continuously evaluate our vendor relationships and develop additional security enhancements as appropriate. Our investigation is ongoing, and we will provide additional updates as we deem necessary or appropriate.