UK Markets close in 3 hrs 24 mins
  • FTSE 100

    7,774.26
    +9.11 (+0.12%)
     
  • FTSE 250

    19,839.07
    -196.32 (-0.98%)
     
  • AIM

    866.11
    -3.13 (-0.36%)
     
  • GBP/EUR

    1.1362
    -0.0042 (-0.37%)
     
  • GBP/USD

    1.2394
    -0.0001 (-0.0074%)
     
  • BTC-GBP

    18,632.48
    -405.82 (-2.13%)
     
  • CMC Crypto 200

    522.54
    +5.54 (+1.07%)
     
  • S&P 500

    4,070.56
    +10.13 (+0.25%)
     
  • DOW

    33,978.08
    +28.68 (+0.08%)
     
  • CRUDE OIL

    79.59
    -0.09 (-0.11%)
     
  • GOLD FUTURES

    1,941.80
    -3.80 (-0.20%)
     
  • NIKKEI 225

    27,433.40
    +50.84 (+0.19%)
     
  • HANG SENG

    22,069.73
    -619.17 (-2.73%)
     
  • DAX

    15,074.54
    -75.49 (-0.50%)
     
  • CAC 40

    7,063.78
    -33.43 (-0.47%)
     

CircleCI warns customers to rotate 'any and all secrets' after hack

CircleCI, a company whose development products are popular with software engineers, has urged users to rotate their secrets following a breach of the company's systems.

The San Francisco–headquartered DevOps company said in an advisory published late Wednesday that it is currently investigating the security incident — its most recent in recent years.

We wanted to make you aware that we are currently investigating a security incident, and that our investigation is ongoing,” CircleCI CTO Rob Zuber said. “At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well.”

CircleCI, which claims its technology is used by more than a million software engineers, is advising users to rotate “any and all secrets" stored in CircleCI, including those stored in project environment variables or in contexts. Secrets are passwords or private keys that are used to connect and authenticate servers together.

For projects using API tokens, CircleCI said it has invalidated these tokens and users will be required to replace them.

CircleCI, which in 2021 announced a $100 million Series F at a $1.7 billion valuation, hasn’t shared any more information about the nature of the incident and has yet to respond to TechCrunch’s questions.

However, the company is also advising users to audit their internal logs for unauthorized access occurring between December 21, 2022, and January 4, 2023, which suggests the company's breach began some two weeks earlier. On December 21, the company also announced that it had released reliability updates to the service to resolve underlying "systemic issues.

In 2019, CircleCI was hit by a data breach after a third-party vendor was compromised. This saw hackers compromise user data, including usernames and email addresses, usernames and email addresses associated with GitHub and Bitbucket, along with user IP addresses.

In November, CircleCI said that it had also witnessed an increasing number of phishing attempts whereby unauthorized actors were impersonating CircleCI to gain access to users’ code repositories on GitHub.