DevOps platform CircleCI urges users to rotate all secrets

Share post:

Application developers using the CircleCI continuous integration platform are being urged to rotate all secrets — including passwords, API keys, and digital certificates — stored in the system, after the discovery of an unspecified security incident.

In a blog Wednesday, company chief technology officer (CTO) Rob Zuber said this includes secrets stored in project environment variables or in contexts.

The company also recommends users review internal logs for their systems for any unauthorized access starting from December 21, 2022, or upon completion of their secrets rotation.

If a project uses Project API tokens, they have been invalidated by CircleCI and will have to be replaced.

In response to a question on the company’s discussion forum, a staffer said rotation includes SSH keys, Jira and Slack integration tokens and webhook secrets.

“We apologize for any disruption to your work,” Zuber added. “We take the security of our systems and our customers’ systems extremely seriously. While we are actively investigating this incident, we are committed to sharing more details with customers in the coming days.

“At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well.”

The San Francisco-based company says over one million DevOps software engineers use CircleCI and its automation engine to create applications for multiple environments, including Docker.

In November, it joined the Amazon Web Service (AWS) Service Ready Program for Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances. CircleCI counts Cisco, Peloton, and HashiCorp among its customers.

The post DevOps platform CircleCI urges users to rotate all secrets first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

Hackers Plant False Memories in ChatGPT to Steal User Data

A security researcher has uncovered a vulnerability in ChatGPT that could allow hackers to store false information and...

“Octo2” Trojan Targets Bank Accounts by Posing as VPN or Chrome Apps on Android

A new malware variant called “Octo2” is spreading across Android devices by posing as popular apps like NordVPN...

Evilginx – Open source tool can bypass Multi-Factor Authentication (MFA)

Security vendor Abnormal Security is reporting a new cybersecurity tool that is gaining traction among cybercriminals. The tool,...

Kaspersky’s exit from US market frightens some customers

Kaspersky, the Russian cybersecurity firm, has unexpectedly removed its antivirus software from U.S. customers' computers, replacing it with...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways