CircleCI tells users to move their secrets following security alert

The company seems to have been breached over the holidays

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Continuous integration and delivery service providers CircleCi is suspecting foul play in its systems and is urging its users to take action and protect their accounts while it investigates the matter further.

In aposton its company blog, CircleCi asked its customers to immediately rotate any and all secrets stored in its systems. “These may be stored in project environment variables or in contexts”.

Furthermore, CircleCi recommends its customers review internal logs for their systems, and look for any unauthorized access starting from December 21, 2022 through January 4, 2023, or until the moment all secrets had been rotated. Finally, CircleCI said it invalidated all Project API tokens, forcing users to replace them. Further information on how that can be done can be found onthis link.

An apology and no explanation

“We apologize for any disruption to your work,” the post notes. “We take the security of our systems and our customers’ systems extremely seriously. While we are actively investigating this incident, we are committed to sharing more details with customers in the coming days.”

The company did not disclose any additional details about the security incident it’s currently investigating, so we don’t know if any malware or viruses were deployed on itsendpoints.

“At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well,” the post reads.

GitHub accounts are being stolen by fake CircleCI accounts>JavaScript is no longer the favorite programming language for developers>Check out the best ID theft protection services right now

While details are scarce, BleepingComputer found a report by security engineer Daniel Hückmann, who said he spotted one of the IP addresses associated with the attack (54.145.167.181). According to the publication, this is the type of information that can help incident response teams during their investigations.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“Search cloudtrail logs for events from this IP,” he said. “I expect there are other indicators, but this one is high fidelity.”

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics