UPDATE (January 16, 2023) – CircleCI has published a full report that includes more details about the incident. VIP recommends affected customers review this document and reach out to support if you have any further questions or concerns.
UPDATE (January 6, 2023) – CircleCI has updated their initial post with more information and instructions. They now recommend rotating all secrets, keys, and tokens of any kind stored on their service. Please refer to CircleCI’s disclosure post for the most up-to-date information and instructions concerning this incident.
On Wednesday, January 4, 2023, CircleCI disclosed a security incident that affects VIP customers who use CircleCI. At this time, CircleCI reports the incident is contained and no unauthorized actors are active in their system, but recommends that CircleCI users rotate any secrets stored on their service.
If you have never used CircleCI, no action is necessary. We are communicating this to all customers as part of our ongoing commitment to security. We are also reaching out directly to the WordPress VIP customers that have used CircleCI.
If you have used CircleCI, you should take the following preventative actions as soon as possible:
- Immediately review and rotate any and all secrets stored in CircleCI. These may be stored in project environment variables, in contexts, or in other areas.
- Review any internal logs of your systems for any unauthorized access starting from December 21, 2022, through the completion of your secrets rotation.
- Rotate any SSH keys used for CircleCI to communicate with GitHub or any other system. You may have set these up initially, and our documentation details how to rotate these keys.
CircleCI’s blog post has the most up to date information about their ongoing. WordPress VIP will update you if any further action is necessary.
As always, if you have any questions or concerns, please open a support ticket.
WordPress VIP Lobby 