In the past 24 hours, the world has learned of serious breaches at chat service Slack and software testing and delivery company CircleCI, though the companies’ opaque phrasing – “security vulnerability” and “security incident” respectively – is forgiven. because he thought these events were minor.
The compromises — in the case of Slack, the theft of employee credentials and for CircleCI, the potential disclosure of all customer secrets it stores — come two weeks after password manager LastPass revealed its own security flaw: the theft of customer password vaults containing sensitive data in both coded as clear text form. It’s not clear if all three breaches are related, but that’s certainly a possibility.
The most concerning of the two new breaches is the one affecting CircleCI. On Wednesday night, the company reported a “security incident” that led it to advise customers to rotate “any secrets” they store on the service. The alert also informed customers that it had invalidated their Project API tokens, an event that required them to go through the trouble of replacing them.
CircleCI says it is used by more than 1 million developers to support 30,000 organizations and performs nearly 1 million daily tasks. The potential exposure of all those secrets — that could be login credentials, access tokens, and who knows what else — could be catastrophic for the security of the entire internet.
A lack of transparency
CircleCI is still tight-lipped about exactly what happened. The consulting firm never used the words “breach,” “compromise,” or “burglary,” but that’s almost certainly what happened. Exhibit A is the statement, “At this time, we are confident that no unauthorized actors are active in our systems,” suggesting that network intruders were active before. Exhibit B: The advisory that customers check internal logs for unauthorized access between December 21 and January 4.
Taking the statements together, it is not hard to suspect that threat actors were active in CircleCI’s systems for two weeks. That’s enough time to collect an unimaginable amount of some of the most sensitive data in the industry.
Slack’s advice, meanwhile, is equally opaque. It’s dated December 31, but the internet archives didn’t see it until Thursday, five days later. Clearly, Slack was in no hurry to publicize the event.
Like the CircleCI revelation, the Slack warning also steers clear of concrete language and instead uses the passive phrase “were stolen and misused” without saying how. Adding to the lack of sincerity, the company embedded the HTML tag in the post in an attempt to prevent search engines from indexing the warning.
After obtaining the Slack employee tokens, the threat actor misused them to gain access to the company’s external GitHub account. From there, the intruders downloaded private code repositories. The advisory highlights that its customers were not affected and that “the threat actor had no access to other parts of the Slack environment, including the production environment, and had no access to other Slack resources or customer data.”
Customers should take the statement with a generous helping of brine. Do you remember the LastPass advisory from August? It, too, used the obscure phrase “security incident” and said “there was no access to customer data,” only to reveal the true extent on the last major business day of 2022. It wouldn’t be surprising if Slack or CircleCI updated its advisories to further disclose access to customer data or more sensitive parts of their networks.
Hacking the supply chain
It is also possible that some or all of these breaches are related. The internet relies on a vast ecosystem of content delivery networks, authentication services, software development tool makers, and other businesses. Threats often hack into one company and use the data or access they gain to hack into that company’s customers or partners.
Such was the case of the security provider Twilio breach in August that led to Okta, Signal, DoorDash and more than 130 other companies being compromised.
Something similar played out in the last days of 2020 when hackers compromised Solar Winds, took control of the software building system and used it to infect about 40 Solar Winds customers.
For now, people should brace themselves for additional disclosures from companies they rely on. Checking internal system logs for suspicious entries, enabling multi-factor authentication, and patching network systems are always good ideas, but given current events, those precautions need to be accelerated. It is also worth checking logs for any contact with the IP address 54.145.167.181, which security guard said was connected to the CircleCI breach.
People should also remember that despite companies’ assurances of transparency, their concise, carefully worded disclosures are designed to hide more than they reveal.
