admin DevOps platform CircleCI on Wednesday urged its prospects to rotate all their secrets and techniques following an unspecified safety incident.
The corporate mentioned an investigation is at the moment ongoing, however emphasised that “there aren’t any unauthorized actors lively in our programs.” Further particulars are anticipated to be shared within the coming days.
“Instantly rotate any and all secrets and techniques saved in CircleCI,” CircleCI’s chief know-how officer, Rob Zuber, said in a terse advisory. “These could also be saved in undertaking surroundings variables or in contexts.”
CircleCI can be recommending customers to evaluation inside logs for indicators of any unauthorized entry ranging from December 21, 2022, to January 4, 2023, or till when the secrets and techniques are rotated.
The software program improvement service didn’t disclose any additional specifics concerning the breach, however mentioned it has additionally invalidated all Project API tokens and that they should be changed.
The disclosure comes weeks after the corporate introduced that it had launched reliability updates to the service on December 21, 2022, to resolve underlying “systemic points.”
It is also the most recent breach to hit CircleCI in recent times. The corporate, in September 2019, revealed “uncommon exercise” associated to a third-party analytics vendor that resulted in unauthorized entry to usernames and e-mail addresses related to GitHub and Bitbucket.
Then final yr, it alerted users that pretend CircleCI e-mail notifications had been getting used to steal GitHub credentials and two-factor authentication (2FA) codes.
Slack’s GitHub Code Repositories Stolen
It is simply not CircleCI, as Slack disclosed on December 31, 2022, that it grew to become conscious of a safety problem that entailed unauthorized entry to a subset of its supply code repositories on GitHub.
The problem, which got here to mild on December 29, 2022, resulted within the theft of a restricted variety of Slack worker tokens that had been then used to entry its GitHub repository, finally allowing the adversary to obtain the supply code.
Slack, nevertheless, mentioned no buyer motion is required and that the breach was rapidly contained. The credentials have since been invalidated.
“No downloaded repositories contained buyer knowledge, means to entry buyer knowledge, or Slack’s major codebase,” the Salesforce-owned firm said. “The risk actor didn’t entry different areas of Slack’s surroundings, together with the manufacturing surroundings, and they didn’t entry different Slack assets or buyer knowledge.”
The moment messaging service didn’t share extra info on how the worker tokens had been stolen, however confused the “unauthorized entry didn’t end result from a vulnerability inherent to Slack.”
