Another software company has fallen victim to a security breach, with CircleCI joining the list of major applications such as LastPass, Slack, and others that have experienced security incidents in recent weeks.
CircleCI, a software testing and delivery company, has described the issue as a "Security Incident," and has advised its customers to rotate all secrets stored on the service.
CircleCI, which has “over 1 million engineers using their platform”, never mentioned that a breach occurred. On January 4th 2023, the organization released an advisory that they were investigating a security incident. They “strongly recommended” that all customers should rotate their secrets stored in the CircleCI platform, including those stored in project environment variables or in contexts. They also recommended that customers review internal logs for their systems for any unauthorized access starting from December 21, 2022, to January 4, 2023, or upon completion of their secret rotation.
CircleCI have not yet provided details on precisely what has been compromised nor how attackers got in, and what they may have had access to. Still, we can read the bulletin’s “tea leaves” that there is a possibility that attackers had access to CircleCI customer secrets. Otherwise, why advise customers to change these immediately?
Customers place credentials in software delivery mechanisms like CircleCI to authenticate and authorize test and other build tools and to deploy (“deliver”) and configure the built software into its execution environment (usually, cloud tenancies). Since CircleCI invalidated every customer API token, it is probable that among the secrets attackers may have had access to are the tokens that allow CircleCI to automate software deployments. That alone would be quite serious, as cloud API tokens can offer attackers near complete control of a cloud tenancy, ergo, CircleCI customers' cloud products.
In response to the recent security incident, CircleCI has been actively updating its customers on a daily basis with guidance on how to rotate their secrets using various methods. This advisory will provide an overview of the steps that can be taken to follow up on this important action.
Need Advice on Secret Management in DevOps?
Might your startup be unsure about how to use industry tools to set up alerts for security incidents like this, or need expert advice on secret management in DevOps? We would love to meet and chat.
Please feel free to use this link to schedule a quick sync.
Or you can take our Free 5-Minute security assessment, designed specifically for startups.
Once startups complete the short assessment form, we craft two confidential reports - A Security Assessment Report that shows existing gaps and risks, as well as A Security Recommendations Report with custom solutions, priorities, and tools that they can either begin implementing or add to their roadmap.