We take data security extremely seriously, and we believe it is important to be transparent and accountable. As part of those commitments, we are sharing information about a vendor security incident we are currently investigating.
Codecov, a third-party SaaS provider of software code testing, discovered a security vulnerability in their software that was exploited by an attacker and affected potentially hundreds of companies using their services, including monday.com. This incident was not the result of a vulnerability in monday.com’s environment.
Upon learning of this issue, we took immediate mitigation steps, including revoking Codecov access, discontinuing our use of Codecov’s service, rotating keys for all of monday.com’s production and development environments, and retaining leading cybersecurity forensic experts to assist with our investigation. Codecov recently provided specific information and indicators that enabled us to deepen our investigation.
While our investigation is ongoing, based on our findings to date, we have not seen any indication that customer data processed by monday.com was affected by this incident or accessed by the attacker. The attacker did access a file containing a list of certain URLs pointing to publicly broadcasted customer forms/views hosted on monday.com. We have contacted the relevant customers to inform them how to regenerate these URLs.
While we have seen evidence that our source code was accessed due to the Codecov vulnerability, to date, we have found no evidence of any unauthorized modifications to our source code, or any impact on our products.
Our mission is to empower teams to work together, and we value the trust our customers place in us to help them do that. Protecting our customers and their data is our top priority. We continuously evaluate our vendor relationships and develop additional security enhancements as appropriate. Our investigation is ongoing, and we will provide additional updates as we deem necessary or appropriate.
JULY 4th, 2021 UPDATE: In the interest of providing continued transparency regarding the effect of the Codecov incident on monday.com, we wanted to update you on the results of our investigation. We have worked with the FireEye/Mandiant Incident Response Team on this incident. FireEye/Mandiant has now concluded its investigation, which found no indication of monday.com’s customer data being affected by the incident, consistent with our previous update. The only impact relating to customers was the attacker’s access to a list of URLs for publicly broadcasted forms for certain customers, as we described previously.