CircleCI Urges Customers to Rotate Secrets After Security Incident

MakeUseOf

By Katie Rees

Published Jan 5, 2023

Software development company CircleCI urges its users to rotate secrets after experiencing a security incident.

Logo Credit: FelicianoTech/Wikimedia Commons

CircleCI, an American-born software development service, has announced a security threat and is urging users to rotate their secrets as a result.

CircleCI Warns Users After Security Issue

American DevOps platform CircleCI has issued a warning to its users to rotate their secrets after experiencing a security incident. This CI/CD platform is popular with software teams, providing continuous integration and delivery for the quick creation of code. Over a million people and thousands of companies use this tool, though they are now being warned in the wake of this security incident.

In a CircleCI blog post, Chief Technology Officer Rob Zuber told users to "immediately rotate any and all secrets stored in CircleCI", which "may be stored in project environment variables or in contexts."

Circle also took to Twitter to warn customers of this issue.

Zuber wrote in the aforementioned blog post that customers should "review internal logs for their systems for any unauthorized access" starting from December 21, 2022, to January 4, 2023. Alternatively, users can review their internal logs after rotating their secrets. Additionally, Zuber mentioned that all Project API tokens have been invalidated, and therefore need to be replaced by users.

CircleCI Has Not Provided Details on the Security Incident

While CircleCI has notified users of a security issue and has offered advice for protecting data, no information has yet been released on the nature of the problem. However, it seems that CircleCI intends to provide more details on the incident in the near future (as stated by Rob Zuber in his blog post on the matter).

This Isn't the First CircleCI Security Incident

Though we don't know the specifics of the security incident discussed here, we do know that CircleCI has dealt with breaches before.

In 2019, the company suffered a breach through the infiltration of a third-party analytics vendor. The attack operator managed to get a hold of usernames, email addresses, branch names, repository URLs, and IP addresses. At the time, the company warned users to review both their repository and branch names.

Take Action If You're a CircleCI User

If you happen to use CircleCI, it's worth considering the advice provided by the company after this security issue. Rotating your secrets and reviewing internal logs may help you to protect yourself against this possible security threat.