In the last 24 hours, the world has learned of the serious breaches that hit chat service Slack and software testing and distribution company CircleCI, though the vague language of each company (“security issue” and “security incident”) Give and you will be forgiven. Because I thought these incidents were minor.
Whether it’s the theft of employee token credentials in the case of Slack or the exposure of all stored customer secrets in the case of CircleCI, these breaches mean that the password manager LastPass could It comes two weeks after revealing its own security failure, the theft of its password vault. both in encrypted-text and plain-text form. It’s not clear if all three breaches are related, but it’s certainly possible.
The most concerning of the two new breaches is the one that hit CircleCI. On Wednesday night, the company reported a “security incident” and urged customers to advise them to rotate “all secrets” stored in the service. I have also informed the customer. This is a high-effort event that exchanges tokens.
According to CircleCI, more than 1 million developers support 30,000 organizations and run nearly 1 million jobs every day. The potential exposure of all this sensitive information, such as login credentials, access tokens, and other information, could be catastrophic for the security of the entire Internet.
lack of transparency
CircleCI is still tight-lipped about what happened. That recommendation didn’t use the words “violation,” “compromise,” or “intrusion,” but that’s almost certainly what happened. Evidence A states, “At this time, we are confident that there are no unauthorized actors active on our systems,” suggesting that a network intruder had been active previously. I’m here. Exhibit B: Customer advised to check internal logs for unauthorized access between her December 21st and his January 4th.
Taken together, these statements make it hard to suspect that the attackers have been active within CircleCI’s systems for two weeks. Enough time to collect an unimaginable amount of the industry’s most sensitive data.
Meanwhile, Slack’s recommendations are similarly opaque. The date is December 31st for him, but the Internet Archive didn’t confirm him until Thursday, five days later. Clearly, Slack was in no rush to make the event widely known.
Similar to CircleCI’s disclosure, the Slack alert also avoids specific language and instead uses the passive phrase “stolen and exploited” without mentioning how. In addition to its lack of candor, the company embedded HTML tags in its posts to prevent search engines from indexing the alert.
After obtaining Slack’s employee tokens, the attackers misused them to access the company’s external GitHub accounts. From there, the intruder downloaded a private code repository. The advisory states that the customer was not affected and that “the attacker did not have access to any other areas of her Slack environment, including production, nor did she have access to any other of her Slack resources or customer data. I am emphasizing that no
Customers should receive a statement with a generous helping of salt water. Remember the LastPass advisory from August? The company also used the opaque term “security incident,” stating that “no customer data was accessed,” and announced the end of major business hours in 2022. only reveals the true extent of . Disclose further access to customer data or more sensitive parts of the network.
supply chain hacking
It is also possible that some or all of these breaches are related. The Internet relies on a large ecosystem of content delivery networks, certification services, software development tool makers, and other companies. Attackers frequently hack one of her companies and use the obtained data or access to infiltrate that company’s customers or partners.
An example is the breach of security provider Twilio in August, when Okta, Signal, DoorDash, and more than 130 other companies were compromised.
Something similar happened in late 2020 when hackers compromised Solar Winds, took control of the software build system and used it to infect about 40 Solar Winds customers.
For now, people should be prepared for additional disclosures from companies they trust. It’s always a good idea to check internal system logs for suspicious entries, enable multi-factor authentication, and patch network systems, but given current events, take these precautions quickly. is needed. It’s also worth checking the logs for any contact with one of her security experts, her IP address 54.145.167.181. Said were associated with CircleCI breaches.
It should also be remembered that despite the company’s promise of transparency, brief and carefully worded disclosures are designed to hide more than they reveal.
