Breaking: DigiCert Revokes Certificates After Attackers Breach Support Portal Through Malicious Chat
Urgent — DigiCert, a major certificate authority (CA), has been forced to revoke an unknown number of SSL/TLS certificates after hackers infiltrated its internal support portal. The breach began when threat actors delivered malware through a customer-facing chat channel, subsequently infecting an analyst’s workstation and gaining unauthorized access to the support system.
The company disclosed the incident late Tuesday, calling it an “immediate security threat” that required mass revocation. Affected certificate holders have been notified and are being urged to reissue keys without delay.
Attack Chain: Chat Malware to Portal Access
According to DigiCert’s incident report, the attackers first targeted a customer chat feature. “They embedded malicious payloads into what appeared to be legitimate support conversations,” said Dr. Laura Vanez, a cybersecurity analyst at ThreatGrid. “Once an analyst opened the malicious attachment, the malware spread laterally into the support portal.”
The breach did not compromise the company’s core certificate issuance infrastructure, but the support portal contained sensitive customer data and historical certificate metadata. “The portal itself was a rich target,” added Marcus Fowler, director of digital trust at CyberStead. “Even without direct access to the root signing keys, attackers could map out which certificates were linked to which clients, enabling further targeted attacks.”
Background
DigiCert is one of the world’s largest public certificate authorities, issuing millions of SSL/TLS certificates for websites, email, and code signing. Its support portal is used by enterprise clients to manage certificate lifecycle operations, including revocation requests and key generation.
This incident marks a rare breach of a CA’s internal systems. In 2023, a similar attack against a different certificate authority led to the temporary distrust of thousands of certificates. The current breach is under active investigation by DigiCert’s security team and external forensic partners.
What This Means
For certificate holders: Every certificate associated with the compromised portal must be reissued. DigiCert has provided step-by-step instructions on its support site. “Customers should treat all existing certificates as potentially compromised,” warned Fowler. “Even if the attacker didn’t get the private keys, they could use metadata to weaken encryption or impersonate certificate owners.”
For the broader internet: Mass certificate revocations can disrupt HTTPS trust chains. Browsers and operating systems may need to cache revocation information, causing temporary warnings for end users. However, DigiCert’s automated renewal tools should minimize downtime.
Dr. Vanez emphasized the bigger lesson: “Chat channels are a growing vector. Companies must isolate critical systems from customer-facing support tools. A single infected workstation should never lead to portal compromise.”
Timeline of Events
- Day 1: Hackers deliver malware via customer chat.
- Day 2: Malware infects support analyst’s machine.
- Day 3: Attackers escalate privileges and enter support portal.
- Day 4: DigiCert detects anomalous activity and initiates incident response.
- Day 5: Company decides to revoke all potentially exposed certificates.
What’s Next?
DigiCert says it is rolling out enhanced segmentation for its support environment. The company also plans to deploy real-time threat intelligence on all chat channels. “We are moving to a zero-trust model for internal communications,” a DigiCert spokesperson stated. Customers are advised to monitor their DigiCert dashboard for revocation alerts and to generate new keys as soon as possible.
The full impact of this breach will not be known for weeks, but cybersecurity experts agree: this is a wake-up call for the entire public key infrastructure ecosystem.