From the Confluent Support Portal (requires an account):
Published 2021-04-20 21:39<p><i>> Confluent Cloud CLI tool (ccloud) Vulnerability: Credential Exposure to Third-Party Analytics
Yesterday at 21:39
Impacted versions: 1.21 (released November 20, 2020), 1.22, and 1.23<p>>Recommended action: Update the Confluent Cloud CLI tool to version 1.25.<p>>The Confluent Cloud CLI tool, known as ccloud, contained a vulnerability that resulted in the transmission of Confluent API keys and secrets to a third party data analytics service when users entered an API secret as an argument to the tool.<p>>The third party service is a vendor used by Confluent to collect metrics and usage data for analysis. Previous versions of the CLI tool employed filtering to prevent the transmission of API keys and secrets.<p>>As part of our incident response, we immediately instructed the third party service to stop collection of ccloud analytics data and to delete all such data from its systems. We also released a new version of ccloud, version 1.25, which does not have this vulnerability.<p>>We have analyzed the data sent to the third party service and identified customer accounts from whom API keys and secrets have been sent. We have notified those customers. Our initial investigation has revealed no evidence of misuse of the API keys or secrets or any compromise of customer data.<p>>We urge all customers to update the Confluent Cloud CLI tool to version 1.25. If you already have ccloud installed, the simplest way is to log in to the Confluent Cloud CLI and run the following command:<p>> ccloud update
</i><p>The embedding of 3rd party analytics tools to track usage metrics will be the undoing of us all. If you are going to track users then at the very least own the entire tracking apparatus so that it does not get leaked to a 3rd party if you make a mistake.