[justinludwig]

Nice writeup. Allowing customer data and secrets to be exfiltrated is a pretty big fail, and will probably make a number of customers re-think their patronage at a time when supply-chain security is top-of-mind to many.

But three things mentioned in their report do give me some confidence about the way CircleCI has engineered their internal systems:

1. They use SSO with 2FA ("an unauthorized third party leveraged malware deployed to a CircleCI engineer's laptop in order to steal a valid, 2FA-backed SSO session")

2. They maintain reasonably good audit logging (they could identify that "the third party extracted encryption keys from a running process, enabling them to potentially access the encrypted data" which had been exfiltrated)

3. They can rebuild everything from scratch ("we rotated all potentially exposed production hosts to ensure clean production machines")

A lot of companies pay lip service to best practices like these, but don't actually implement them thoroughly (or at all). The fact that CircleCI could rely on them under attack makes me think they're doing a better job than 90% of the SaaS companies out there.