CircleCI tells users to move their secrets following security alert

Bad Bots
(Image credit: Gonin / Shutterstock)

Continuous integration and delivery service providers CircleCi is suspecting foul play in its systems and is urging its users to take action and protect their accounts while it investigates the matter further.

In a post on its company blog, CircleCi asked its customers to immediately rotate any and all secrets stored in its systems. “These may be stored in project environment variables or in contexts”. 

Furthermore, CircleCi recommends its customers review internal logs for their systems, and look for any unauthorized access starting from December 21, 2022 through January 4, 2023, or until the moment all secrets had been rotated. Finally, CircleCI said it invalidated all Project API tokens, forcing users to replace them. Further information on how that can be done can be found on this link

An apology and no explanation

“We apologize for any disruption to your work,” the post notes. “We take the security of our systems and our customers’ systems extremely seriously. While we are actively investigating this incident, we are committed to sharing more details with customers in the coming days.”

The company did not disclose any additional details about the security incident it’s currently investigating, so we don’t know if any malware or viruses were deployed on its endpoints

"At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well,” the post reads.

While details are scarce, BleepingComputer found a report by security engineer Daniel Hückmann, who said he spotted one of the IP addresses associated with the attack (54.145.167.181). According to the publication, this is the type of information that can help incident response teams during their investigations.

“Search cloudtrail logs for events from this IP,” he said. “I expect there are other indicators, but this one is high fidelity.”

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.