CircleCI Urges Customers to Rotate Secrets Following Security Incident

Jan 05, 2023Ravie LakshmananDevOps / Security Breach

DevOps platform CircleCI on Wednesday urged its customers to rotate all their secrets following an unspecified security incident.

The company said an investigation is currently ongoing, but emphasized that “there are no unauthorized actors active in our systems.” Additional details are expected to be shared in the coming days.

“Immediately rotate any and all secrets stored in CircleCI,” CircleCI’s chief technology officer, Rob Zuber, said in a terse advisory. “These may be stored in project environment variables or in contexts.”

CircleCI is also recommending users to review internal logs for signs of any unauthorized access starting from December 21, 2022, to January 4, 2023, or until when the secrets are rotated.

The software development service did not disclose any further specifics about the breach, but said it has also invalidated all Project API tokens and that they need to be replaced.

The disclosure comes weeks after the company announced that it had released reliability updates to the service on December 21, 2022, to resolve underlying “systemic issues.”

It’s also the latest breach to hit CircleCI in recent years. The company, in September 2019, revealed “unusual activity” related to a third-party analytics vendor that resulted in unauthorized access to usernames and email addresses associated with GitHub and Bitbucket.

Then last year, it alerted users that fake CircleCI email notifications were being used to steal GitHub credentials and two-factor authentication (2FA) codes.