WP Pro Online

During the pandemic, Tita Ardiati and Bayu Puspito Bhaskoro began developing life coaching content to support employees who were increasingly burned out by working from home. They got a good enough reception that they decided to develop their product into an employee assistance program called Mindtera, which now serves more than 10,000 employees in Indonesia.

Today, the startup announced total seed funding of $850,000 led by East Ventures, with participation from Seedstars International Ventures and angel investors.

Bhaskoro told TechCrunch that the startup is focused on B2B markets, including mid- to large enterprises. It also provides a self-service platform for small- to medium enterprises. Its main sectors are finance, consulting and retail, and its typical client has more than 200 employees.

Mindtera aims to support employees with challenges related to their work, and also in their personal lives like finances, family and relationships. Companies, on the other hand, get insights about what employees want and how to create a more engaged and productive workforce.

Mindtera includes two platforms. The first, called Mindtera Pro, is an analytics dashboard and app with assessment tools to collect employee feedback, which is then used for insights about the well-being and engagement of a company’s workforce. This includes surveys that let employees participate anonymously or use their names. They can provide suggestions, criticism and other opinions about their work and employer.

The second, Mindtera Plus, connects companies to coaching and development consultants for help with management and workplace culture issues. Employers have the option of either subscribing to Mindtera Plus for a continuous action plan, or working with consultants on demand. Mindtera Plus uses internal consultants, external certified consultants and curated partners, who provide strategic program plans and monthly or quarterly progress reports for clients.

Bhaskoro said Mindtera’s main competitors are EAPs based outside of Indonesia, and traditional workforce consulting agencies. The main way that Mindtera differentiates is by giving employers real-time monitoring on how engaged employees are, instead of making them wait for reports. Mindtera Pro also gives them more visibility into spending on activities, vendors or platforms that they use as interventions to improve productivity and performance.

The newunding will be used to expand Mindtera’s B2B platform, with the goal of becoming Indonesia’s top employee assistance program platform.

In a statement about the funding, Seedstars International Ventures general partner Patricia Sosrodjojo, said, “The world has seen a major shift in the understanding of how integral mental health and well-being are for businesses, but there is still much work to be done in order to effectively address this. Mindtera is at the forefront of foundational changes in the workplace and has been able to rapidly expand its reach in Indonesia’s HR space.”

Jakarta-based Mindtera helps companies keep an eye on employee morale by Catherine Shu originally published on TechCrunch

The website for ODIN Intelligence, a company that provides technology and tools for law enforcement and police departments, was defaced on Sunday.

The apparent hack comes days after Wired reported that an app developed by the company, SweepWizard, which allows police to manage and coordinate multi-agency raids, had a significant security vulnerability that exposed personal information of police suspects and sensitive details of upcoming police operations to the open web.

ODIN provides apps, like SweepWizard and other technologies, to law enforcement departments. It also provides a service called SONAR, or the Sex Offender Notification and Registration system, used by state and local law enforcement to remotely manage registered sex offenders. But the company has also been the subject of controversy. Last year, ODIN was found to be marketing its facial recognition technology for identifying homeless people and describing those capabilities in callous and degrading terms.

It’s not clear who defaced ODIN’s website or how the intruders broke in, but a message left behind quoted ODIN founder and chief executive Erik McCauley, who largely dismissed Wired’s recent reporting that found the SweepWizard app was insecure and spilling data.

“And so, we decided to hack them,” the message left on ODIN’s website said.

The text of the defacement is ambiguous as to whether the hackers exfiltrated data from ODIN’s systems or if, as it claims, “all data and backups have been shredded,” suggesting that there may have been an attempt to erase the company’s stores of data. But the defacement note made note of three large archive files, totaling more than 16 gigabytes of data, each named in relation to ODIN, the sex offenders’ data, and the SweepWizard app, suggesting that the hackers may have at least had access to the company’s data.

The defacement also included a set of Amazon Web Services keys, apparently belonging to ODIN. TechCrunch could not immediately confirm that the keys belong to ODIN, but the keys apparently correspond with an instance on AWS’ GovCloud, which houses more sensitive police and law enforcement data.

ODIN chief executive Erik McCauley did not return emails from TechCrunch with questions about the defacement and apparent breach, but ODIN’s defaced website was pulled offline a short time later.

ODIN Intelligence website is defaced as hackers claim breach by Zack Whittaker originally published on TechCrunch

Thousands of Norton LifeLock customers had their accounts compromised in recent weeks, potentially allowing criminal hackers access to customer password managers, the company revealed in a recent data breach notice.

In a notice to customers, Gen Digital, the parent company of Norton LifeLock, said that the likely culprit was a credential stuffing attack — where previously exposed or breached credentials are used to break into accounts on different sites and services that share the same passwords — rather than a compromise of its systems. It’s why two-factor authentication, which Norton LifeLock offers, is recommended, as it blocks attackers from accessing someone’s account with just their password.

The company said it found that the intruders had compromised accounts as far back as December 1, close to two weeks before its systems detected a “large volume” of failed logins to customer accounts on December 12.

“In accessing your account with your username and password, the unauthorized third party may have viewed your first name, last name, phone number, and mailing address,” the data breach notice said. The notice was sent to customers that it believes use its password manager feature, because the company cannot rule out that the intruders also accessed customers’ saved passwords.

Gen Digital said it sent notices to about 6,450 customers whose accounts were compromised.

Norton LifeLock provides identity protection and cybersecurity services. It’s the latest incident involving the theft of customer passwords of late. Earlier this year, password manager giant LastPass confirmed a data breach in which intruders compromised its cloud storage and stole millions of customers’ encrypted password vaults. In 2021, the company behind a popular enterprise password manager called Passwordstate was hacked to push a tainted software update to its customers, allowing the cybercriminals to steal customers’ passwords.

That said, password managers are still widely recommended by security professionals for generating and storing unique passwords, so long as the appropriate precautions and protections are put in place to limit the fallout in the event of a compromise.

Norton LifeLock says thousands of customer accounts breached by Zack Whittaker originally published on TechCrunch

Hello, climate tech readers! Even without a milestone fusion announcement this week, plenty happened in the climate tech world that’s worth catching up on. From massive solar investments to plant-based steaks and small, modular batteries to back up your home, there’s something for everyone. Let’s dive in.

US solar manufacturing gets boost with $2.5B Georgia deal

Last year was chock full of battery manufacturers and automakers announcing one gigafactory after another. If this week’s announcement is anything to go by, 2023 might be the year the U.S. solar industry ramps up in a serious way.

On Wednesday, Hanwha Qcells, a major Korean manufacturer, announced that it would spend $2.5 billion in Georgia to expand an existing factory and build an entirely new campus that would handle nearly everything in the solar panel supply chain, from silicon ingots to finished panels. The move was spurred by the Inflation Reduction Act, which offers investment and production tax credits that should help cover about half the cost of a finished panel, helping to erase some of China’s cost advantage.

This isn’t the first time the U.S. has attempted to bolster homegrown solar. But unlike a decade ago, when dozens of companies went bust because of slack demand, cheap Chinese panels and the Great Recession, this time might be different.

Full TechCrunch+ articles are only available to members.
Use discount code TCPLUSROUNDUP to save 20% off a one- or two-year subscription.

How companies at CES are taking on climate change (or pretending to)

TechCrunch’s Harri Weber made the trek to CES this year, and she saw plenty of climate tech at the massive trade show, which has expanded well beyond VR headsets and home automation (though that’s still there, too.) From smart hoses and sprinklers to minimize water use to home energy systems, there was plenty to be optimistic about — though there was still some AstroTurf, too, both on the show floor and in what was being hawked in the booths.

Project Eaden’s fiber technology poised to spin threads into whole cuts of ‘meat’

Plant-based meat has had a rough few months, with industry leaders getting hammered in the markets. But not everyone is bearish on the sector. Project Eaden showed why this week, adding €2.1 million in funding to an existing seed round.

The Berlin-based startup uses plant-based protein fibers to spin cuts of alternative meat that have a texture that’s much closer to the real thing. Project Eaden has just over €10 million in funding to refine its technology, and it’s planning on future rounds to build a production-scale plant.

Climate benefits of killing gas stoves aren’t what you think, but the health benefits are

It’s no secret that gas stoves are terrible for your health — asthma rates in households that have gas stoves are significantly higher than those without. They’re also not great for the climate. Even though their emissions footprint is small, they let aging gas utilities keep their feet in the door, making it easier for homeowners to keep their fossil fuel systems running long after they should.

But why are we talking about gas stoves this week? U.S. Consumer Product Safety Commission Rich Trumka Jr. made a comment about how they’re a “hidden hazard” and that “any option is on the table” if the industry couldn’t figure out how to clean up its act. Well, that brought the wolves out. Right-wing politicians latched onto Trumka’s statement, hoping to create a new flashpoint in the ongoing culture wars. That might backfire, though, as gas-owning, induction-curious consumers start looking into the matter themselves.

John Deere will let farmers repair their own equipment

The right-to-repair movement got a shot in the arm this week when John Deere signed a memorandum of understanding with the American Farm Bureau Federation that would grant access to tools and repair information needed by farmers and other operators to fix the company’s increasingly complex equipment without going through the manufacturer.

For farmers and independent repair shops, it’s not a perfect deal, however, because Deere said it would still withhold “trade secrets, proprietary or confidential information.” But given that Deere has long pushed back against right-to-repair requests, this is likely welcome news for farmers, operators and independent shops. And it’ll likely help keep well-functioning equipment in the fields longer.

A big CES 2023 trend: All battery power, everywhere, all the time

It’s happening: Batteries are taking over. I’ve long anticipated that the sheer amount of R&D and manufacturing capacity wrought by the shift to electric vehicles would spill over to transform myriad other sectors. If this year’s CES is anything to go by, we’ve reached an inflection point.

TechCrunch’s Haje Jan Kamps was bowled over by the number and diversity of battery-based home power solutions at the show this year. Many were stackable. One could be wheeled around your house like a 100-pound wagon. Another carried like a milk crate. And yet another ties into a whole-home system that includes a solar inverter, smart circuit panel, EV chargers and more. If you don’t have a battery in your home yet, you might in the next five years if this CES was anything to go by.

Climate tech roundup: From solar to CES, this week had something for everyone by Tim De Chant originally published on TechCrunch

Welcome toThe Interchange! If you received this in your inbox, thank you for signing up and your vote of confidence. If you’re reading this as a post on our site, sign uphereso you can receive it directly in the future. Every week, I’ll take a look at the hottest fintech news of the previous week. This will include everything from funding rounds to trends to an analysis of a particular space to hot takes on a particular company or phenomenon. There’s a lot of fintech news out there and it’s my job to stay on top of it — and make sense of it — so you can stay in the know. —Mary Ann

Consolidation everywhere

On Friday, January 13, investment giant BlackRock announced it was acquiring a minority stake in SMB 401(k) provider startup Human Interest. Terms of the deal weren’t disclosed, but it definitely caught my attention for a few reasons. For one, as one source told me, BlackRock’s investment is a show of faith in the SMB 401(k) market — one where the firm hasn’t historically played. That same source, who preferred not to be named, pointed out that “SECURE 2.0’s auto-enrollment provisions (among others), will make 401k plans more impactful at the lower end of the market, and Human Interest is well-positioned to execute.”

I’ve been writing about Human Interest since March 2020, covering each of its funding rounds since then (here, here and here), and following its impressive growth. It achieved unicorn status in August 2021 and at the time was eyeing an IPO. A lot has changed in the markets since then, so this feels like a good outcome for the startup, which was founded by Paul Sawaya and Roger Lee in 2015. Lee (a very nice guy, incidentally) moved on years ago, recently founding another startup, Comprehensive.io and launching layoff tracker Layoffs.FYI soon after the COVID-19 pandemic hit.

The deal was just one of many M&A deals in the fintech space that occurred last week. Here’s a rundown of some others:

Remote payroll startup Deel acquired fintech Capbase for an undisclosed amount in a cash and stock deal, the companies shared with me exclusively. Last valued at $12 billion, Deel is one of the buzziest fintechs around, and its decision to pick up Capbase reflects its intent to enter the equity management space.
Investment giant Fidelity acquired Shoobx, marking its first buy in 7 years (!). Jason Furtado and Stephan Richter founded Boston-based Shoobx in 2013, according to Crunchbase. The pair went on to raise a known $10 million in funding for the company. Fidelity said its purchase of Shoobx is a sign of its commitment to the private market “and will help to satisfy an increasing demand Fidelity sees from private companies to support them as they scale and grow.”
Vouch, an insurtech focused on startups, acquired lending startup Level for an undisclosed amount. As reported by Life Insurance International: “Level has created a tech-driven underwriting process for early-stage fintech startups that is claimed to have brought new efficiency and speed to the debt-raising process. Vouch hopes to leverage Level’s expertise in developing underwriting technologies to underwrite and support complex insurance products. Level was founded by Vladimir Korshin, Asa Schachar and Molly Hogan in 2021.” In September 2021, I covered Vouch’s announcement of $90 million in new funding. Both Vouch and Level are Y Combinator alums.
American Express announced that it has entered into an agreement to acquire Nipendo, a company that aims to automate and streamline business-to-business (B2B) payments processes for global businesses that has raised a known $12 million in funding. I talked with Dean Henry, EVP of global commercial services for Amex, and Colleen Taylor, president of merchant services, US at Amex, and they gave me some insight into the strategy behind the buy. For starters, Henry said the credit card giant has been on “a multiyear journey…to really grow and expand capabilities in B2B payments.” He added: “What we’ve really tried to evolve in the last few years is into a one-stop-shop for businesses to pay anybody anywhere, using any kind of payment rails that they want to use in order to facilitate the payments….What we’re trying to do with Nipendo is add to that capability set and provide more value to suppliers who are trying to send invoices, interact with buyers and transact with data around B2B payments.” Notably, Taylor told me that American Express concluded that it would take a big company like American Express “a long time to replicate what they’ve built.” And this line was the classic motivation for all incumbents buying fintechs: “Why not just bring it in to our platform and get it to customers as quickly as possible?”

To bring some context around all this M&A, I conducted an email interview with Jonah Crane, partner at Klaros Group. Crane predicts we will continue to see a lot of fintech M&A.

He told me: “The question I have is who will capitalize on this bear market to scoop up valuable technology or talent. In particular, I’m interested in whether banks can be opportunistic. Some of the large banks have already been active, and the others need to ask themselves whether they are serious about innovation and digital transformation. If they are, they can’t afford to miss this moment.”

Of course, he added, much will depend on the macro picture. “If we have a soft landing, and markets head back up, the true bargains may already have passed. And if we are in for a very hard landing, buyers are at risk of catching falling knives—especially in the credit sector,” Crane said. “Getting deals done in these markets is no sure thing. We’ve already seen a number of announced deals fail to close: UBS/Wealthfront, Bolt/Wyre, and now JPMC/Frank (more on that later). Ultimately, the big challenge will be whether buyers and sellers can cross the massive valuation chasm created by the bursting of the fintech bubble.”

No doubt the venture slowdown and practically dead IPO and SPAC markets have contributed to the surge in M&A activity.

“VCs are telling their portfolio companies they should be prepared to shelter in place for 18 to 24 months, and many have laid off a lot of staff. But what’s the end game? What are you aiming to achieve that will allow you to raise at a reasonable valuation when markets are fully reopened?” Crane asks. “Those who don’t have a clear bridge to the other side of that chasm will be looking for buyers (if they’re smart).”

All I know is if we have more weeks like this one, you’re going to have one exhausted fintech journalist on your hands!

Weekly News

Layoffs

Reports Jagmeet Singh: “Greenlight, a fintech startup offering debit cards to kids, has laid off 104 employees — or over 21% of its total headcount of 485 employees — to “better align with ongoing operating expenses” amid the economic slowdown. TechCrunch learned about the layoff that was announced to its employees earlier this week. The startup later confirmed the development over an email.” More here.

Digital mortgage platform Blend said last week its slashing its U.S. workforce by 28%, or 340 jobs, in its fourth layoff in less than a year. The company also said that presidentTim Mayopoulos will step down from his role in the first quarter and remain as a board member. Clearly, the rise in mortgage interest rates has taken its toll. More here.

Publicly-traded online lending platform Lending Club is cutting 14% of its workforce, a move that will impact 225 employees, reports MarketWatch, “as higher interest rates discourage demand for loans, and the company forecast fourth-quarter revenue that was below expectations.”

In other news

Public.com, an investing platform with more than 3 million members, announced last week that it has begun rolling out Treasury accounts through a partnership with fintech startup Jiko. According to the two companies, the accounts allow members to invest their cash in U.S. Treasury bills that “are automatically reinvested at maturity and can be sold at any time.” A spokesperson told me that Public’s Treasury accounts “offer members similar flexibility to a high-yield savings account, but are currently offering even higher yields.”

Equity management platform Carta had a rough week. As TC’s Connie Loizos reported on January 11: “The 11-year-old, San Francisco-based outfit whose core business is selling software to investors to track their portfolios, has sued its former CTO, Jerry Talton, who the company says was fired ‘for cause’ almost three weeks ago, on Friday, December 23.” The case is a bit of a sordid one, considering that “toward the end of Carta’s long list of accusations against Talton, Carta says that Talton both sent and received ‘sexually explicit, offensive, discriminatory and harassing messages with at least nine women including during work hours and on Carta’s systems.’” For his part, Connie also wrote that Talton was put on administrative leave in October of last year after submitting a letter to Carta’s board of directors, flagging various “problems” with the company’s culture. Then, Natasha reported later that day that the company, which was last privately valued at $7.4 billion, had cut 10% of its staff.

It looks like incumbent banks and institutions are still struggling when it comes to offering tech-enabled financial services.

For one, Goldman Sachs Group reported last Thursday that it lost $3.03 billion on its platform solutions business that houses transaction banking and credit card and financial technology businesses since 2020. Reuters reports: “The disclosure did not provide separate numbers for its direct-to-consumer business, Marcus, which was moved into its asset and wealth management arm. Marcus has also lost money and failed to introduce a checking account. Swati Bhatia, who led the group, stepped down earlier this month, according to an internal announcement seen by Reuters.”

Meanwhile, Wells Fargo is taking a step back from mortgages. CNBC reported: “Instead of its previous goal of reaching as many Americans as possible, the company will now focus on home loans for existing bank and wealth management customers and borrowers in minority communities.” Interestingly, in an interview with CNBC, CEO Charlie Scharf acknowledged that the bank “will need to adapt to evolving conditions” while remaining confident about its competitive advantage. Specifically, he said: “Given the quality of the five major businesses across the franchise, we think we’re positioned to compete against the very best out there and win, whether it’s banks, nonbanks or fintechs.” To me, it feels like the move to shrink back from the housing market might open up more opportunities for fintechs.

Lastly, as referenced above, Forbes reported on an absolutely crazy account of JPMorgan basically getting duped by the founders of a startup, Frank, that it acquired for $175 million. Here’s an excerpt from the Forbes piece detailing a lawsuit filed by the banking giant, which claims that founder and former CEO Charlie Javice “pitched JP Morgan in 2021 on the ‘lie’ that more than 4 million users had signed up to use Frank’s tools to apply for federal aid. When JP Morgan asked for proof during due diligence, Javice allegedly created an enormous roster of ‘fake customers’ — a list of names, addresses, dates of birth, and other personal information for 4.265 million ‘students’ who did not actually exist.” In reality, according to the suit, Frank had fewer than 300,000 customer accounts at that time.” Oof. What happened to due diligence here???

More news

According to research from Utility Bidder, there are said to currently be over 700 active unicorn companies in the U.S., 132 of which are in the fintech industry. The firm’s new study has revealed the global fintech companies achieving the $1 billion valuation mark the fastest. Proptech Pacaso tops the list, taking just under six months to achieve unicorn status. Other companies on the list include Magic Eden, Clara, Brex and Pipe. The firm also ranked the most valuable fintech companies. Leading the way is Stripe, which actually just got another internal valuation cut and laid off over 1,100 workers last November. Ironically, a number of other startups that made the top 10 also happened to conduct layoffs over the past few months, including Plaid, Brex and Chime. Wondering why Utility Bidder cares about fintech? I did, too. Here’s what a spokesperson told me: “Utility Bidder [is] a price comparison site for energy and utility rates, so they have a focus on business finances as well as energy as a whole.”

Identity decisioning platform and fintech unicorn Alloy recently released its annual State of Fraud Benchmark Report. The report found that 70% of financial institutions surveyed lost over half a million to fraud last year and that 27% of respondents lost over $1 million to fraud in the last 12 months. Further, 37% of fintech companies and 31% of regional banks estimated losing between $1 and $10 million to fraud.

A Morgan Stanley spokesperson reached out to me last week after seeing our coverage of Fidelity’s acquisition of Shoobx to let me know that “Morgan Stanley at Work has invested a lot of time and resources” in its Private Markets business, “and continues to see it as an area of growth — especially as we recently just saw an astounding uptick in liquidity events during Q4 2022, which further supports the idea that private companies/startups need an effective software solution to handle these complex transactions.” The firm acquired Solium, a cap table management solution platform now called Shareworks, in 2019.

Oracle Retail announced last week its new Oracle Retail Payment Cloud Service. Via email, a spokesperson told me: “This new service equips retailers with a fixed rate model and the ability to accept all major contactless payment options including credit/debit cards and mobile wallets — all without hidden fees, long-term contracts or minimum monthly requirements. These benefits enable increased flexibility, agility and greater transparency for retailers of all sizes and industries…”

Mesh Payments has brought on Daniel Ochoa as its first SVP of global sales. Based in Austin, Ochoa most recently served as VP of sales and customer success at TripActions. Mesh co-founder and CEO Oded Zehavi told TechCrunch via email that Ochoa was brought on “to leverage a surge in customer demand” as the company builds out “new services to meet the needs of larger companies who are more than ready to move off of legacy spend management solutions.” Sounds like Mesh, like competitor Brex last year, is going after more enterprise customers.

Speaking of Brex, here’s a fun tweet thread from former CRO and current Founders Fund partner Sam Blond about “the best outbound campaign” Brex ever ran.

Funding and M&A

Seen on TechCrunch

From cloud computing to proptech: DigitalOcean co-founders raise $29M for Welcome Homes

Backed by Tiger Global, Mayfair emerges from stealth to offer businesses a higher yield on their cash

Vista Equity Partners to acquire insurance software company Duck Creek for $2.6B

And elsewhere

Dubai-based social investing startup InvestSky picks up $3.4M pre-seed

Proptech that offers fractional home ownership to wealthy individuals raises $30M in debt and equity

Pagaya Technologies announces acquisition of Darwin Homes

Canadian fintech Nuvei will acquire Atlanta-based payments firm Paya for $1.3B

40Seas secures $11M in equity, $100M in credit to grow cross-border trade financing platform

Butter raises $22M led by Norwest Venture Partners to end accidental payment churn

Other stories I wrote this week:

These 5 companies bootstrapped their way to big businesses while VCs came knocking

Sam Bankman-Fried launches Substack: ‘I didn’t steal funds, and I certainly didn’t stash billions away’

And, I recorded Equity Pod with my incredible co-hosts Natasha Mascarenhas and Rebecca Szkutak: Frank-ly, the Kardashian method won’t work for SBF

Whew. This was one of the busiest weeks we’ve seen in a while. Hope those of you in the U.S. have a good and restful long weekend, and if you’re outside of the U.S., I hope you have a good and restful weekend as well. Until next time, take good care. xoxoxo — Mary Ann

So much fintech M&A by Mary Ann Azevedo originally published on TechCrunch

Historically, environmental health and safety software hasn’t been a massive market — at least compared to others in the software-as-a-service segment — and it’s admittedly not the most enthralling startup category. But that’s changing, according to a new survey released by research firm Verdantix.

EHS software acts as a data management system for capturing and analyzing information related to occupational health and safety, waste management and sustainability. Companies use EHS software to track emissions and investigate workplace incidents, for example, as well as conduct health and safety training and grant entry to restricted spaces.

Verdantix’s Green Quadrant: EHS Software 2023 survey shows that the EHS software market had more than 50 transactions in the past two years and predicts that it’ll grow from $1.6 billion in 2022 to around $2.7 billion by 2027. Verdantix predicts it’ll buck the global economic downturn, furthermore, due to differentiators like the use of AI and automation.

“Over the past two years, the market landscape for EHS software has undergone a paradigm shift, as EHS providers have expanded their product offerings to meet the ravenous appetite for robust environmental management solutions brought on by the ESG megatrend,” Verdantix industry analyst Chris Sayers said in a statement. “As EHS functions seek to interlink with other business operations, providers are turning to emerging technologies as a point of differentiation and redefining the functional possibilities of EHS software.”

Per the Verdantix report, since ETF Partners invested around €10 million (roughly $11 million) in EHS vendor Enablon in 2011, private equity firms and strategic investors like Wolters Kluwer and Fortive have spent more than $4 billion to buy into the EHS software market. The absence of the world’s largest enterprise software vendors — including IBM, Microsoft, Oracle, Salesforce and SAP — has left a lot of oxygen in the market for midsize businesses to grow.

Environmental health and safety software is now a hot commodity by Kyle Wiggers originally published on TechCrunch

CircleCi, a software company whose products are popular with developers and software engineers, confirmed that some customers’ data was stolen in a data breach last month.

The company said in a detailed blog post on Friday that it identified the intruder’s initial point of access as an employee’s laptop that was compromised with malware, allowing the theft of session tokens used to keep the employee logged in to certain applications, even though their access was protected with two-factor authentication.

The company took the blame for the compromise, calling it a “systems failure,” adding that its antivirus software failed to detect the token-stealing malware on the employee’s laptop.

Session tokens allow a user to stay logged in without having to keep re-entering their password or re-authorizing using two-factor authentication each time. But a stolen session token allows an intruder to gain the same access as the account holder without needing their password or two-factor code. As such, it can be difficult to differentiate between a session token of the account owner, or a hacker who stole the token.

CircleCi said the theft of the session token allowed the cybercriminals to impersonate the employee and gain access to some of the company’s production systems, which store customer data.

“Because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys,” said Rob Zuber, the company’s chief technology officer. Zuber said the intruders had access from December 16 through January 4.

Zuber said that while customer data was encrypted, the cybercriminals also obtained the encryption keys able to decrypt customer data. “We encourage customers who have yet to take action to do so in order to prevent unauthorized access to third-party systems and stores,” Zuber added.

Several customers have already informed CircleCi of unauthorized access to their systems, Zuber said.

The post-mortem comes days after the company warned customers to rotate “any and all secrets” stored in its platform, fearing that hackers had stolen its customers’ source code and other sensitive secrets used for access to other applications and services.

Zuber said that CircleCi employees who retain access to production systems “have added additional step-up authentication steps and controls,” which should prevent a repeat-incident, likely by way of using hardware security keys.

The initial point of access — the token-stealing on an employee’s laptop — bears some resemblance to how the password manager giant LastPass was hacked, which also involved an intruder targeting an employee’s device, though it’s not known if the two incidents are linked. LastPass confirmed in December that its customers’ encrypted password vaults were stolen in an earlier breach. LastPass said the intruders had initially compromised an employee’s device and account access, allowing them to break into LastPass’ internal developer environment.

CircleCI says hackers stole encryption keys and customers’ source code by Zack Whittaker originally published on TechCrunch