CircleCI's incident response

Ouch -- Amazing how there is this ripple effect happening now that everone is using the cloud and there are so many middle men or service APIs.<p>&gt; <i>In order to protect your data and users, we strongly urge you to secure each of these systems:</i><p><pre><code> &gt; SSH keys uploaded to CircleCI &gt; API tokens stored in CircleCI env vars &gt; API&#x2F;SSH key stored in a GitHub repo accessible from your CircleCI </code></pre> Interesting to note that Stripe and Kickstarter are customers. This is a little scary to think their source code could have been exposed, given the $$$ flowing through their systems. So, someone could have used these keys to have much wider access!

Now might be a good time for circleci customers to pick up a code analysis tool such as brakeman and look for obvious security holes in their apps. If the attackers have hundreds or thousands of web apps&#x27; source code, I&#x27;d expect them to start trawling for vulnerabilities with automated tools.

What happened between the 19th and the 28th? <a href="https://news.ycombinator.com/item?id=6638004" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=6638004</a><p><pre><code> Hi Justin. To clarify, from what I understand, October 28 is the date MongoHQ detected this. They&#x27;ve provided us with the logs of database access, and unfortunately the queries leading to our spam attack on Saturday started as early as October 19.</code></pre>

So, to be clear. I need to contact Github directly to see if my source has been downloaded using compromised deploy keys?

If I had a heroku API key stored with CircleCI, should I assume all of my app&#x27;s production config variables have been compromised?