Security news that informs and inspires

CircleCI Warns Customers to Rotate Secrets After Security Incident

CircleCI, a provider of continuous integration and continuous delivery services for a wide range of organizations, is warning customers to rotate any secrets they have stored in the CircelCI service after an unspecified security incident at the company.

In a short message posted Wednesday, CircleCI CTO Rob Zuber said that the company is investigating an incident that occurred recently, and that the investigation is still ongoing.

“At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well,” Zuber said.

“Out of an abundance of caution, we strongly recommend that all customers take the following actions: Immediately rotate any and all secrets stored in CircleCI. These may be stored in project environment variables or in contexts. We also recommend customers review internal logs for their systems for any unauthorized access starting from December 21, 2022 through today, January 4, 2023, or upon completion of your secrets rotation.”

Zuber also said that the company has validated all of the Project API tokens used in any project hosted on CircleCI

CircleCI provides hosted and non-hosted options for its services and Zuber did not specify where the security incident occurred or what part of its services may be affected.

“We take the security of our systems and our customers’ systems extremely seriously. While we are actively investigating this incident, we are committed to sharing more details with customers in the coming days,” Zuber said.