Cyber Security

Devs urged to rotate secrets after CircleCI suffers security breach

Developers are being urged to rotate secrets and API tokens following the discovery of a breach at popular DevOps platform CircleCI.

CircleCI, which offers a platform for continuous integration and continuous delivery of software development projects, admitted a “security incident” on Wednesday (January 4).

The vendor has launched an investigation which remains ongoing. In the meantime, and as a precaution, it is urging its software developer customers to take “preventative measures” to protect the integrity of software development projects.

Customers should immediately “rotate any and all secrets stored in CircleCI”, whether they are stored in project environment variables or in contexts. In addition, software development teams that rely on CircleCI should review systems logs dating back to December 21 for signs of compromise.

Lastly, in cases where software development projects use Project API tokens, software developers should invalidate existing project API tokens and replace them with freshly minted credentials.

‘Confident’

The nature of the apparent breach is currently unclear. However, in a statement on the incident, CircleCI said it is “confident that there are no unauthorized actors active in our systems” (perhaps implying that malign parties did have some access to its systems until the breach was detected).

CircleCI concluded by promising to keep customers “in the loop” about how its investigation was progressing.

“While we are actively investigating this incident, we are committed to sharing more details with customers in the coming days,” the vendor said.

The Daily Swig asked CircleCI to comment on the circumstances of the breach, what additional precautions it is taking to prevent a repeat of the incident, and any lessons it has learned. We’ll update this story as and when CircleCI responds to our query or publishes a post-mortem on the incident.

All change

The episode is likely to be most inconvenient for software development teams that are in the habit of storing configuration files and secrets directly on CircleCI. It is more secure, albeit less straightforward, for calls to be made to fetch secrets from elsewhere.

Precisely what secrets need to be changed up has become a topic of discussion on CircleCI support forums.

In response to queries about whether SSH keys, Jira and Slack integration tokens, and webhook secrets also need to be changed as well as contexts and environment variables, a CircleCI employee implied that a complete re-up was in order.

“At this time, we recommend rotating SSH Keys and all tokens or secrets,” they said.

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/devs-urged-to-rotate-secrets-after-circleci-suffers-security-breach

Advertisement. Scroll to continue reading.
Click to comment

You May Also Like

Cyber Security

The cyberattack that ultimately led to the breach of several U.S. officials’ email accounts was the result of a China-based threat actor accessing a...

Cyber Security

The well-known watch manufacturing company Seiko disclosed the data breach notification recently on Aug 2023, targeted by the notorious threat group BlackCat/ALPHV. BlackCat/ALPHV Group has been...

Cyber Security

Privileged users typically hold crucial positions within organizations. They usually have elevated access, authority, and permission levels in the organization’s IT systems, networks, applications,...

Cyber Security

The Colorado Department of Higher Education (CDHE) discloses a massive data breach impacting students, past students, and teachers after suffering a ransomware attack in...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version