|
Boost : |
From: Marshall Clow (mclow.lists_at_[hidden])
Date: 2023-01-05 02:49:10
I received this todayâ¦..
â Marshall
> Begin forwarded message:
>
> From: CircleCI <security_at_[hidden]>
> Subject: CircleCI Security Alert - 4 Jan 2023 - Rotate any secrets stored in CircleCI
> Date: January 4, 2023 at 6:30:49 PM PST
> To: marshall_at_[hidden]
> Reply-To: security_at_[hidden]
>
> <https://go.circleci.com/NDg1LVpNSC02MjYAAAGJHrz8WLiocAliTEINy0V4BGCeC4xesDlLjWEM0M7yOMxzf8YiLscRZ-N_HkNZHSJ7t-Yketc=>
> We wanted to make you aware that we are currently investigating a security incident, and that our investigation is ongoing. We will provide you updates about this incident, and our response, as they become available. At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well.
>
> Action request:
>
> Out of an abundance of caution, we strongly recommend that all customers take the following actions:
> Immediately rotate any and all secrets stored in CircleCI. These may be stored in project environment variables or in contexts.
> We also recommend customers review internal logs for their systems for any unauthorized access starting from December 21, 2022 through today, January 4, 2023, or upon completion of your secrets rotation.
> Additionally, if your project uses Project API tokens, we have invalidated those and you will need to replace them. You can find more information on how to do that in our documentation here. <https://go.circleci.com/NDg1LVpNSC02MjYAAAGJHrz8WBmOiXzPovREibkXKh8IqcsacumapcCwISlvWtlsyElIbWTgBhdV4aUZpfQ2vN8Hdlw=>
>
> We apologize for any disruption to your work. We take the security of our systems and our customersâ systems extremely seriously. While we are actively investigating this incident, we are committed to sharing more details with customers in the coming days.
>
> Thank you for your urgent attention to rotating your secrets.
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk