CircleCI security alert after hackers steal encryption keys and secrets

Continuous integration and continuous delivery platform CircleCI has published more details regarding a security breach that occurred at the start of the year.

The company disclosed in an updated blog post that “an intruder gained access through an employee’s laptop that was compromised with malware,” allowing the theft of session tokens to keep the employee logged into internal systems—even though the applications were protected with two-factor authentication.

CircleCI is taking responsibility for the compromise and breach, calling it a “systems failure,” since the malware was able to evade company antivirus software.

Once the cybercriminals were inside internal systems, they were able to impersonate the infected employee and gain access to customer data and production systems.

Even though the customer data was encrypted, the cybercriminals were able to obtain the encryption keys to decrypt the stolen customer data.

CircleCI security recommendations

CircleCI recommends all customers add additional layers of protection to their CI/CD pipeline configuration. The company strongly advises customers to perform the following to increase security:

  • Use OIDC tokens wherever possible to avoid storing long-lived credentials in CircleCI.
  • Take advantage of IP ranges to limit inbound connections to your systems to known IP addresses.
  • Use Contexts to enable the sharing of environment variables across projects, which can then be rotated automatically via API.
  • For privileged access and additional controls, you may choose to use runners, which allow you to connect the CircleCI platform to your own compute and environments, including IP restrictions and IAM management.

CircleCI breach may impact Datadog customers

Cloud firm Datadog disclosed that it was informed by CircleCI of the breach, and “identified a single secret stored in CircleCI that could theoretically be misused by a potential attacker.”

The affected RPM GPG signing key has the fingerprint of:

60A389A44A0C32BAE3C03F0B069B56F54172A230

Datadog only recommends customers take action if “you’re on an RPM-based Linux distribution (RHEL, CentOS, Rocky Linux, AlmaLinux, Amazon Linux, SUSE/SLES, Fedora), and your system trusts the affected GPG key.”

Complete details on recommended actions to take for Datadog customers are available on their blog.


Discover more from Cybersecurity Careers Blog

Subscribe to get the latest posts sent to your email.