Hacker News new | ask | show | jobs
by theogravity 1262 days ago
Does this also include deploy SSH keys?
4 comments
DylanL 1262 days ago
Looks like yes: https://discuss.circleci.com/t/circleci-security-alert-rotat...
link
theogravity 1261 days ago
Thanks. Sigh, I have ~20 OSS repos with them that I'll need to generate new keys for then.
link
richbell 1262 days ago
Given the wording of "any and all secrets" I would not take any chances.
link
chrisntb 1262 days ago
"Immediately rotate any and all secrets stored in CircleCI. These may be stored in project environment variables or in contexts."

The blog post calls out "environment variables" and "contexts"

link
richbell 1262 days ago
Emphasis on may be; not to mention, they are actively investigating the breach and do not have all the information at this time.
link
chrisntb 1261 days ago
We contacted CircleCI support and they clarified their blog post statement with the following info:

"Thank you for contacting CircleCI Support.

This does also apply to SSH Keys, as such we do recommend to rotate SSH Keys as well as to take extra caution.

If you have any other concerns please reach out."

link
preetamjinka 1262 days ago
Better to be cautious and rotate those too, right?
link