CircleCI security alert: Rotate any secrets stored in CircleCI

<i>&gt; We wanted to make you aware that we are currently investigating a security incident, and that our investigation is ongoing. We will provide you updates about this incident, and our response, as they become available. At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well.</i><p>Is anyone else a little annoyed by the messaging here, I read it as, &quot;We think something bad happened to your ultra secret data, but we don&#x27;t know, so we&#x27;re asking teams to spend potentially hours or days fixing things while we aren&#x27;t really able to tell you if your stuff was actually compromised&quot;?<p>What I find more troubling is, if they don&#x27;t quite know what happened, or aren&#x27;t telling us, and we do the work to change everything, how do they know it won&#x27;t just happen again in the next day or so and people are still accessing our systems, where is the details?<p><i>&gt; At this point, we are confident that there are no unauthorized actors active in our systems.</i><p>Confident isn&#x27;t really a good enough word to use here in my opinion. We&#x27;ve just blocked Circle CI from all our systems for now until we hear more, likely start to move to another build system.<p>I know accidents happen but this is likely the beginning of the end for our teams relationship with Circle CI. Trust has been broken.

Great reminder for folks to switch any AWS actions you perform from CI&#x2F;CD to use OIDC role assumption instead of static IAM user credentials. Then even if an attacker stole all your secrets they can&#x27;t do anything in your AWS account.

<a href="https:&#x2F;&#x2F;twitter.com&#x2F;sanitybit&#x2F;status&#x2F;1610829345676996609" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;sanitybit&#x2F;status&#x2F;1610829345676996609</a><p>&gt;I&#x27;ve been investigating the use of a @ThinkstCanary AWS token that was improperly accessed on December 27th and suspected as much.

Perhaps just unfortunate timing, but of note: this comes approximately a month after CircleCI reduced their staff by about 17%[1].<p>[1]: <a href="https:&#x2F;&#x2F;circleci.com&#x2F;blog&#x2F;ceo-jim-rose-email-to-circleci-employees&#x2F;" rel="nofollow">https:&#x2F;&#x2F;circleci.com&#x2F;blog&#x2F;ceo-jim-rose-email-to-circleci-emp...</a>

What&#x27;s tricky is this is not the first interesting recent post from Rob, he previously posted on &quot;An Update on CirclCI Reliability&quot; (Dec &#x27;22) [1] and &quot;CircleCI remains secure; be vigilant and aware of phishing attempts for your credentials&quot; (Nov &#x27;22) [2]. Overall, CircleCI has had a rough run of it lately.<p>[1] <a href="https:&#x2F;&#x2F;circleci.com&#x2F;blog&#x2F;an-update-on-circleci-reliability&#x2F;" rel="nofollow">https:&#x2F;&#x2F;circleci.com&#x2F;blog&#x2F;an-update-on-circleci-reliability&#x2F;</a><p>[2] <a href="https:&#x2F;&#x2F;circleci.com&#x2F;blog&#x2F;circleci-security-update&#x2F;" rel="nofollow">https:&#x2F;&#x2F;circleci.com&#x2F;blog&#x2F;circleci-security-update&#x2F;</a>

Someone please correct me if i&#x27;m wrong... but there was a kerfuffle in 2017 about Circle using third-party JS which could be an attack vector: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=15442636" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=15442636</a><p>To give credence to this, a gitlabber spoke up in that thread, said it was a serious thing and they deliberately had no third-party stuff on their site for that reason.<p>And I just logged into Circle today, and use the Safari network inspector to see what JS it loads... and it&#x27;s still plenty of third party stuff that I can see:<p>* Amplitude * Segment * cci-growth-utils * Statuspage * DataDog * HotJar * Pusher<p>Not sure if this is an issue, but it doesn&#x27;t make me comfortable.

@dang this is currently #198 off the front page, yet this is basically an emergency (literally every customer&#x27;s secrets are exposed?)... either circleci has no more customers, or people are very calm about this...<p>we need to rotate:<p><pre><code> - secrets in context environment variables - secrets in project environment variables - project deploy keys - circleci api tokens </code></pre> then we have to go back and look at all audit logs for... basically everything... and try to find something that looks weird. :&#x2F;

No email? I found out about this from a random HN post?

Had one legacy app still on CircleCI and figured may as well move it over to GH actions if we&#x27;re already rotating tokens anyway. Really hard to recommend anything else these days.

I legitimately don&#x27;t understand how the ranking on HN works sometimes. How is it that there are older, less-commented posts ranking higher than this story? @dang?<p>edit: I sincerely think this should be bumped, given how many folks don&#x27;t seem to be getting the news here in a timely fashion.

Our hodgepodge of microservices- developed over more than a decade- never got coordinated env variables, so now we&#x27;ve got to go through like ~50 services &amp; libraries, one by one, updating secrets. Yuck.<p>If you do your shit right, you can just dump most of your secrets into some Contexts- containers of env variables- and apply them. Then when this stuff roles around, it&#x27;s easy to update everything centrally; change the context &amp; everyone sees it. We, alas, can&#x27;t easily do that, since we have so many differing env var names. New Year, new fun!

Why on earth haven&#x27;t I received an email from Circle about this??<p>I guess the answer is, why on earth am I still using Circle CI....<p>Thankfully all of my secrets&#x2F;env variables are just dummy data for tests, and already using OIDC

I&#x27;ve created a tool due to this incident to help you find your secrets in CircleCi.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;rupert-madden-abbott&#x2F;circleci-audit">https:&#x2F;&#x2F;github.com&#x2F;rupert-madden-abbott&#x2F;circleci-audit</a><p>It can: * List env vars attached to your repos and contexts * List SSH keys attached to your repos * List which repos are configured with Jira (a secret that might need rotating)

Does this also include deploy SSH keys?

Another thread which may need merging to this: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=34255189" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=34255189</a>

PSA: Seems like deleting deploy keys on the CircleCI end doesn&#x27;t actually delete them from Github, so you need to do it on both ends.

You have to trust a CI provider almost as much as your production host. Circle has not earned the same trust as organizations like AWS.

Subpar product, never enjoyed using it. Constant downtime and incidents.

I really don&#x27;t understand why you use someones else&#x27;s computer to compile and test your stuff.<p>When their computers are compromised, by internal or external crooks, the crooks have full access to your code, and - in some cases - your data. If they wanted, they could inject their own shit into your binaries, totally ruining <i>your</i> reputation.<p>As a bonus, you get to pay a premium!<p>I still compile and test my code on my own machines, in my own network. It&#x27;s <i>much</i> faster than CircleCI, cheaper, and it&#x27;s ∞ safer.

I want the following option in my account settings for all critical services:<p><pre><code> [X] In case of a &quot;security incident&quot;, lock down my account until I take action. </code></pre> I understand why they can&#x27;t do that by default, but it&#x27;s crazy that every time this happens, I have to run in order to secure my assets when in many cases, I&#x27;d be perfectly fine with things just shutting down until I have time to take care of them.<p>Better yet, also give me a button that does this even when there&#x27;s no official incident reported. That means disabling all access tokens, resetting the password, halting any scheduled jobs, and revoking access for any connected OAuth services until I manually re-enable them.