Software development company CircleCI is urging its users to spin secrets after encountering a security incident.
CircleCI, a US-born software development service, has announced a security threat and urges users to spin their secrets accordingly.
CircleCI notifies users after a security issue
US DevOps platform CircleCI has issued a warning to its users to spin off their secrets after suffering a security incident. This CI/CD platform is popular with software teams, offering continuous integration and delivery for rapid code creation. More than a million people and thousands of businesses are using this tool, despite now being warned following this security incident.
In one CircleCI blog postCTO Rob Zuber told users to “immediately spin up any secrets stored in CircleCI”, which “may be stored in project environment variables or in contexts”.
Circle also took to Twitter to alert customers to the issue.
Zuber wrote in the aforementioned blog post that customers should “review their systems’ internal logs for unauthorized access” from December 21, 2022 through January 4, 2023. Alternatively, users can review their internal logs after redeeming their secrets. Additionally, Zuber mentioned that all Project API tokens have been invalidated and therefore need to be replaced by users.
CircleCI did not provide details of the security incident
While CircleCI informed users of a security issue and offered guidance to protect data, no information has yet been released on the nature of the problem. However, it looks like CircleCI intends to provide more details about the incident in the near future (as stated by Rob Zuber in his blog post about it).
This is not CircleCI’s first security incident
Although we don’t know the details of the security incident discussed here, we do know that CircleCI has already addressed the breaches.
In 2019, the company suffered a breach following infiltration by a third-party analytics provider. The attack operator managed to obtain usernames, email addresses, branch names, repository URLs, and IP addresses. At the time, the company warned users to review both their repository and branch names.
Take action if you are a CircleCI user
If you happen to use CircleCI, it’s worth considering the guidance provided by the company after this security issue. Rotating your secrets and reviewing internal logs can help protect against this potential security threat.