CircleCI data breach

Rotem Lebovich


Principal Product Manager


Breach summary

CircleCI announced on January 4, 2023 that it experienced a security incident involving the exploit of a malware-infected user laptop to gain access to the company’s production systems. As part of the breach, hackers accessed and exfiltrated some CircleCI customer data. While those data were encrypted at rest, hackers were also able to gain access to some encryption keys.

Remediation details

Your systems or applications could be at risk of exploit if you have data stored in CircleCI. The company published advice for their customers to conduct forensic analysis to detect potential compromise in its January 4 security alert, which they are updating on an ongoing basis, as well as in its final incident report. As part of their remediation and recovery process, CircleCI shut down access for the infected user and most employees, implemented a step-up authentication program for those with access, set up more robust alerting, updated anti-malware systems to block malicious traffic, rotated infected hosts and revoked or rotated tokens, and notified customers, instructing them to rotate all secrets on the service. They share a CLI script for fetching all secrets from CircleCI, detail changes to the CircleCI API, and offer comprehensive audit logs to customers upon request.

Reduce risk in tools and code

While this incident occurred in CircleCI, it could happen in other tools as well. If you store sensitive data in similar systems in the cloud, make sure you have a regular review process that includes:

  • Right-sized access and strong authentication (including step-up) for privileged users with access to production systems
  • Comprehensive logging and auditing of all privileged user activity
  • Monitoring of all code repositories and pipeline resources
  • Rapid remediation of vulnerabilities and misconfigurations

Beyond rotating your secrets stored in CircleCI and other cloud-based tools, make sure to find and eliminate them from your codebase as well. Fix them at the source, and ideally search for secrets in an ongoing, programmatic way.

Use Dazz to discover, reduce, and fix security issues

You can use the Dazz Remediation Cloud to identify rogue pipelines, detect access sprawl, see secrets in code, reduce to root causes, and automatically remediate vulnerabilities and misconfigurations to close your risk window in a fraction of the time.

What we are doing in the Dazz Remediation Cloud to avoid exploit

Dazz provides real-time visibility into the security of an organization's Cloud environment, allowing organizations to quickly identify and respond to security incidents and get visibility to the organization pipelines.

With the ability to detect and remediate threats in real time, organizations can limit the impact of a breach and minimize downtime of the production environment and critical assets.

See Dazz for  yourself.

Get a demo