Devs urged to rotate secrets after CircleCI suffers security breach

John Leyden 05 January 2023 at 14:38 UTC

DevOps platform advises customers to revoke API tokens

Developers are being urged to rotate secrets and API tokens following the discovery of a breach at popular DevOps platform CircleCI.

CircleCI, which offers a platform for continuous integration and continuous delivery of software development projects, admitted a “security incident” on Wednesday (January 4).

The vendor has launched an investigation which remains ongoing. In the meantime, and as a precaution, it is urging its software developer customers to take “preventative measures” to protect the integrity of software development projects.

RECOMMENDED Finding the next Log4j – OpenSSF’s Brian Behlendorf on pivoting to a ‘risk-centred view’ of open source development

Customers should immediately “rotate any and all secrets stored in CircleCI”, whether they are stored in project environment variables or in contexts. In addition, software development teams that rely on CircleCI should review systems logs dating back to December 21 for signs of compromise.

Lastly, in cases where software development projects use Project API tokens, software developers should invalidate existing project API tokens and replace them with freshly minted credentials.

‘Confident’

The nature of the apparent breach is currently unclear. However, in a statement on the incident, CircleCI said it is “confident that there are no unauthorized actors active in our systems” (perhaps implying that malign parties did have some access to its systems until the breach was detected).

CircleCI concluded by promising to keep customers “in the loop” about how its investigation was progressing.

“While we are actively investigating this incident, we are committed to sharing more details with customers in the coming days,” the vendor said.

The Daily Swig asked CircleCI to comment on the circumstances of the breach, what additional precautions it is taking to prevent a repeat of the incident, and any lessons it has learned. We’ll update this story as and when CircleCI responds to our query or publishes a post-mortem on the incident.

All change

The episode is likely to be most inconvenient for software development teams that are in the habit of storing configuration files and secrets directly on CircleCI. It is more secure, albeit less straightforward, for calls to be made to fetch secrets from elsewhere.

Precisely what secrets need to be changed up has become a topic of discussion on CircleCI support forums.

In response to queries about whether SSH keys, Jira and Slack integration tokens, and webhook secrets also need to be changed as well as contexts and environment variables, a CircleCI employee implied that a complete re-up was in order.

“At this time, we recommend rotating SSH Keys and all tokens or secrets,” they said.

DON’T MISS Fill out our reader survey to be in with a chance of winning Burp Suite swag