CircleCI is an open source software development company that has revealed a security breach and is asking users to change their passwords.
The CI/CD platform boasts a large user base of more than 1 million engineers that rely on it for the “speed and reliability” of their build.
CircleCI alerts its users to the problem
CircleCI claims it is investigating a security issue according to emails received from CircleCI users.
Users are advised to remove any secrets from CircleCI that they may have stored until the investigation is complete.
In a brief , Rob Zuber, CircleCI CTO states that “We will give you updates regarding this incident and our response as soon as they become available.” This statement was published Wednesday.
We are certain that no unauthorised actors are active within our systems at this time. However, because of the abundance of caution we ask that customers also take preventative steps to safeguard their data.
Customers are encouraged to remove secrets stored in project environments variables and contexts.
CircleCI has removed API tokens from projects and will require that users .
The DevOps firm advises that users audit their logs to identify unauthorized access between December 21st 2022 and January 4, 2023.
CircleCI updates’reliability update’ for Breach
The wording implies that CircleCI was breached December 21st, which is ironic considering it also published an ” ” strengthening its commitment to improving its services.
This reliability update was the latest in a string of updates that began in April 2022, when CircleCI acknowledged its reliability wasn’t up to user expectations.
CircleCI’s mission is to facilitate software team innovation by managing change. Zuber stated at that time, “But lately we know our reliability hasn’t met our customers’ expectations.”
CircleCI published another update in September 2022 following “a significant portion” of the Pipelines page being unavailable, affecting many teams’ ability to manage their work load.
These updates are the result of a number security problems that CircleCI has faced over the last few years.
in mid-2019 due to the compromise by a third party vendor. The compromise resulted in the loss of usernames and email addresses for Bitbucket and GitHub accounts as well as IP addresses and repo URLs.
Threat actors stole GitHub accounts in 2022 via .
This phishing attempt didn’t always result in a new compromise. CircleCI, at that time, . However, threat actors may use emails from an older breach, such as the 2019, to scam customers.
CircleCI apologizes for the inconvenience caused by Wednesday’s security breach disclosure. After the investigation is over, the company will share more information in the coming days.