This morning many developers recieved an email informing them that circle CI had been breached between 21st December 2022 and 4th January 2023.
Image from https://www.bleepingcomputer.com
Am I affected?
The statement says:
"At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well."
What do I need to do?
The recommendation is to 'Immediately rotate any and all secrets stored in CircleCI. These may be stored in project environment variables or in contexts.'
This includes SSH keys and other secrets.
How do I rotate my keys?
To rotate keys please refer to this documentaion on circle ci's website - https://circleci.com/docs/managing-api-tokens/#rotating-a-project-api-token
Do you have any questions?
Please see this tweet from circle ci to some common questions- Tweet about common questions being answered by a circle ci engineer
Or add a question to the circle ci discussion board
References:
- CircleCI security alert https://circleci.com/blog/january-4-2023-security-alert/
- Circle CI twitter account https://twitter.com/CircleCI
- Article about circle CI https://www.bleepingcomputer.com/news/security/circleci-warns-of-security-breach-rotate-your-secrets/