CircleCI, a software development service has revealed a security incident and urges users to spin their secrets.
The CI/CD platform claims to have a user base of over a million engineers who rely on the service for “speed and reliability” in their builds.
CircleCI notifies users of the incident
CircleCI says it is currently investigating a security incident, according to email notifications received by CircleCI users.
Until the company completes its investigation, users are urged to rotate any secrets stored in CircleCI out of an abundance of caution.
“We will provide you with updates on this incident and our response, as they become available,” Rob Zuber, CTO of CircleCI, said in a brief. advisory released Wednesday.
“At this point, we are confident that no unauthorized actors are active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative steps to protect your data as well.”
Secrets that customers are welcome to rotate include those stored as project environment variables or in contexts.
For projects using API tokens, CircleCI has invalidated these tokens and users will need to replaces the.
Additionally, the DevOps company advises users to audit their internal logs for unauthorized access that occurred between December 21, 2022 and January 4, 2023.
Breach follows CircleCI “reliability” update
Ironically, the wording suggests that CircleCI was hacked on December 21, the same day it posted a “reliability update“reinforcing its commitment to improving its services.
Said reliability update had itself followed a series of similar updates from April 2022 when CircleCI admitted that its reliability had not lived up to user expectations.
“At CircleCI, our mission is to manage change so software teams can innovate faster. But lately, we know our reliability hasn’t met our customers’ expectations,” Zuber wrote at the time.
In September 2022, CircleCI released another such update following the pipelines page being unavailable “for a significant portion of the day”, preventing many teams from managing their workloads.
These updates follow a series of security issues for CircleCI over the past few years.
Mid-2019, CircleCI has been the victim of a data breach resulting from the compromise of a third-party supplier. This led to the compromise of user data, including usernames and email addresses associated with users’ GitHub and Bitbucket accounts, as well as their IP addresses, organization names, repository URLs, and more.
In 2022, threat actors were caught stealing GitHub accounts via fake CircleCI email notifications sent to users:
These phishing attempts were not necessarily the result of a new compromise and CircleCI, at the time, reassured that it remains secure. But, threat actors often use email addresses obtained in a previous breach (e.g., 2019) to target customers of an affected company with phishing scams.
Regarding the disclosure of Wednesday’s security incident, CircleCI apologized for any inconvenience this may cause. The company plans to share more details in the coming days upon completion of the investigation.