CircleCI, the creator of a popular cloud-based continuous integration platform, has warned developers that it has been hit by a “security incident” and is strongly recommending that any data stored on its system be changed. The company also advised customers to check for “any unauthorized access” to their systems from 21 December 2022 until such time as credentials are changed. It told DevClass on the topic.

A discussion with customers revealed several key points. A developer asked which secrets might be affected beyond those specifically mentioned in the CircleCI post, such as “SSH keys, integration tokens for Jira and Slack, webhook secrets, etc.”? The answer was that “all tokens and secrets” should be rotated – i.e. deleted and re-created.

Another question was “is it safe to add new secrets to CircleCI?” The response from an employee was that they are now sure that there are no unauthorized participants active on their systems.

Rotating all secrets may not be an easy task. “We have hundreds of repositories and different platform teams working in CircleCI, as a security team it’s hard to ensure we’ve rotated everything,” said a developer. Another has already provided a script, published on GitHub, designed to list all the certificates.

Another developer asked if there was any chance attackers had injected code or manipulated their builds?
As of now, there has been no response from CircleCI.

The implications of an incident such as this will vary depending on the extent to which the organization follows best practices with respect to secrecy management and the principle of least privilege. CircleCI’s 2021 publication recommends the use of secrets management tools, automated secrets management, and “cycling secrets on release.”

Unfortunately, it appears that at least between December 21, 2022 and January 4, 2023, this was not the case.