CircleCI customers have been advised to rotate secrets as a major security breach appears to have given attackers access to a broad variety of authentication credentials.
Though the company advised clients to rotate “all secrets” in the wake of the breach, it maintains that the platform is still safe to build on. A lack of specificity about details of the attack is prompting some of these clients to add additional security measures to their configurations, if not considering hopping to a competing platform.
CircleCI advisory to rotate secrets comes after December 21 breach
CircleCI has been involved in several recent attack attempts and at least one other security breach, though that dates back to August 2019. More recently, the company was impersonated by a phishing squad running a campaign to steal GitHub credentials. Those incidents were not serious enough to require clients to rotate secrets, however, and there is no evidence connecting the incidents as of yet.
CircleCI said that the breach took place as early as December 21, which was the same date it published a reliability update (there is also no connection between these things as of yet). Former customers of Travis CI that jumped ship since last year are likely the most frustrated by this incident, as it closely resembles a security breach there that was both bad enough to require customers to quickly rotate secrets and was also plagued with communication issues.
More information about the security breach is hopefully forthcoming, but the advisory to “rotate secrets immediately” says enough about its seriousness all by itself. The incident likely has some CircleCI clients thinking about implementing regular automated rotations of credentials and testing out related incident response plans in anticipation of more of this happening in the future.
Minimal information in security breach reports becoming the norm
Organizations are battling with something of an adversarial relationship with the platforms they rely on, as those platforms seemingly take the tack of releasing as little security breach information as legally possible and sometimes concealing the full consequences for months at a time. There isn’t yet any clear indication that’s what will happen here, but similar stories have been playing out with numerous services.
At the very least, it is immediately clear that the CircleCI security breach is quite serious given the urgent instruction to rotate secrets. The alert did have some lag time of about two weeks in following the incident, though this may have been due to failure to discover it until then.
Among other things, CircleCI has provided instructions for its clients to rotate project and user API tokens, project variables, and SSH keys. The organization has also promised a full audit of its internal system access and third party partners along with cycling of all its access keys and production machines.
A forensic investigation is also underway and hopefully will yield more information in the near future. In the meantime, CircleCI clients need to rotate secrets as soon as possible as there remains an unknown risk of compromise and abuse.