CircleCI said it is now working directly with Amazon Web Service (AWS) to help notify customers whose AWS tokens may have been impacted by a Jan. 4 security breach, according to an update provided by the development platform Thursday.
In an update posted Jan. 12 to CircleCI's security advisory about the breach, they said AWS has begun sending out alerts to customers via emails with lists of potentially impacted tokens with the subject line [Action Required] CircleCI Security Alert to Rotate Access Key.
“We have partnered with AWS to help notify all CircleCI customers whose AWS tokens may have been impacted as part of this security incident. Today, AWS began alerting customers via email with lists of potentially impacted tokens,” the company said in an unsigned update posted Jan. 12.
CircleCI said the company's goal in partnering with AWS is to help customers easily identify and revoke or rotate any potentially affected keys. They also stressed that “[a]t this time, there is no indication that your AWS account was accessed, only that there is a possibility the token stored in CircleCI was leaked, and therefore should be deleted from AWS and rotated.”
While CircleCI has not confirmed the impact of the breach on third-party applications, the update bolsters Jan. 10 findings from Mitiga indicating that the incident also affected SaaS and Cloud providers that interact with the CircleCI platform, such as AWS, GitHub, Google Cloud Platform (GCP), and Microsoft Azure.
"While using the CircleCI platform, you integrate the platform with other SaaS and Cloud providers your company uses. For each integration, you need to provide the CircleCI platform with authentication tokens and secrets," Mitaga's researchers noted in the blog. "When a security incident involves your CircleCIplatform, not only is your CircleCI platform in danger, [so are] all other SaaS platforms and Cloud providers integrated with the CircleCI...since their secrets are stored within the CircleCI platform and can be used by a threat actor to expand their foothold."
When SC Media initially contacted AWS on Tuesday to ask about the Mitiga research and if they planned to notify their customers or assist in remediation, a spokesperson responded by linking to the company's "shared responsibility model" page that stated AWS is only responsible for securing their own infrastructure, implying that responsibility for determining impact from integrating with CircleCI rested solely on the shoulders of their users. Now the company appears to be active in identifying affected AWS tokens.
CircleCI did not directly answer SC Media's inquiry on the actual impact of the incident on third-party applications and whether the company will work with other platforms, such as GitHub, Azure, and GCP, to alert users to the risks.
A spokesperson told SC Media earlier this week that it would provide customers with an incident report on Jan. 17 with additional details about the breach.