CircleCI, a company whose products are popular with software engineers, urged users to rotate their secrets after their systems were compromised.
The San Francisco-based DevOps company said in an advisory published late Wednesday that it is currently investigating the security incident.
“We are currently investigating a security incident and would like to inform you that the investigation is ongoing,” said Rob Zuber, CircleCI CTO. “At this point, we are confident that there are no unauthorized actors active in our system. I want to make sure that we do.”
CircleCI claims its technology is used by over 1 million software engineers, and can rotate “any and all secrets” stored on CircleCI, including those stored in project environment variables and contexts. users are advised to do so. A secret is a password or private key used to connect and authenticate a server.
For projects using API tokens, CircleCI says they have disabled these tokens and users should replace them.
CircleCI, which announced a $100 million Series F at a $1.7 billion valuation in 2021, has not shared further information about the nature of the incident and has not yet responded to TechCrunch’s questions.
However, the company also advises users to audit internal logs for unauthorized access that occurred between December 21, 2022 and January 4, 2023. The company also announced that he released a service reliability update on Dec. 21 to address an underlying “systemic issue.”
In 2019, CircleCI suffered a data breach after a third-party vendor was compromised. This allowed the hackers to compromise user data, including usernames and email addresses, usernames and email addresses associated with GitHub and his Bitbucket, and the user’s IP address.
In November, CircleCI said it also witnessed an increase in phishing attacks in which unauthorized actors impersonated CircleCI to access users’ code repositories on GitHub.
