DigiCert Support Portal Hack: 27 Code-Signing Certs Stolen

A breach at one of the internet's most trusted certificate authorities has raised serious questions about software supply chain security. DigiCert, a major provider of digital certificates used to verify the authenticity of software and websites, confirmed that attackers used social engineering to compromise two of its tech support employees, gaining access to backend systems and stealing 27 code-signing certificates. Those certificates were subsequently used to sign malware before DigiCert revoked them.

The incident is a reminder that even the organizations responsible for maintaining digital trust are not immune to human-targeted attacks.

What Are Code-Signing Certificates and Why Do They Matter?

When you download software, your operating system often checks whether it carries a valid digital signature. This signature, issued by a trusted certificate authority like DigiCert, is supposed to confirm that the software came from a legitimate source and has not been tampered with. It is a core part of how modern operating systems, from Windows to macOS, help users distinguish trustworthy software from malicious impostors.

When attackers get hold of legitimate code-signing certificates, they can wrap malware in a cloak of legitimacy. Security tools, operating system warnings, and even some enterprise endpoint protection systems may treat signed software as trustworthy by default. A user downloading what appears to be a signed, verified application has fewer visual signals to warn them that something is wrong.

In this case, 27 stolen certificates were actively used to sign malware before DigiCert identified the breach and revoked them. Revocation is the correct response, but it is not instantaneous protection. Revocation checks are not always enforced in real time, and some systems or configurations may not immediately recognize that a previously valid certificate is no longer trustworthy.

How the Attack Happened: Social Engineering at the Help Desk

The method used to gain access is worth paying close attention to. Attackers did not exploit an unpatched software vulnerability or brute-force their way through a firewall. They targeted people. Two tech support employees were manipulated into providing access to backend systems, a technique broadly known as social engineering.

Help desk and support staff are frequently targeted in this way because their job requires them to be helpful and responsive. Attackers often impersonate colleagues, vendors, or urgent internal requests to pressure support staff into bypassing normal verification procedures.

This attack follows a well-established pattern seen in breaches at major organizations across industries. The lesson is not that DigiCert was uniquely negligent. It is that social engineering remains one of the most effective attack vectors available, regardless of how sophisticated the target's technical defenses are.

What This Means For You

If you download security software, VPN clients, or any application from the internet, this incident has direct relevance to your personal security practices.

First, downloading software only from official, primary sources matters more than ever. A certificate signature is a useful signal, but it is not infallible, as this breach demonstrates. Avoid downloading software from third-party app stores, mirror sites, or links shared through social media or email unless you have independently verified the source.

Second, keeping your operating system and security software updated ensures that revoked certificates are recognized as invalid on your device. Certificate revocation lists and OCSP (Online Certificate Status Protocol) updates are distributed through system and browser updates. An outdated system may continue to trust a certificate that has already been revoked.

Third, for users of VPN or security software specifically, it is worth periodically reviewing where your installations came from and whether the vendor has communicated any security notices. Reputable vendors will disclose issues affecting their software distribution pipeline.

For organizations, this incident reinforces the case for requiring multi-factor authentication for all support and administrative staff, implementing strict verification procedures before granting any access, and auditing which employees can reach sensitive certificate management systems.

Actionable Takeaways

  • Download software only from official vendor websites. Avoid third-party download aggregators, even for well-known applications.
  • Keep your OS and browsers updated. Revocation data is delivered through updates. An outdated system may not recognize compromised certificates.
  • Check for vendor security advisories. If you use software signed by DigiCert, visit the vendor's official security page to confirm whether any of your installed software was affected.
  • Be skeptical of unexpected software updates. If you receive an unsolicited prompt to update an application, verify through the application itself rather than clicking an external link.
  • Organizations should audit certificate trust stores. Security teams should review which certificates are trusted in their environments and ensure revocation checking is enforced.

DigiCert's response, including revoking the affected certificates, is appropriate and expected. But the broader takeaway is that the trust infrastructure underlying software distribution depends on human processes as much as technical ones. Understanding where that trust comes from, and where it can break down, puts you in a better position to protect yourself.