security: Circle CI Dec 22, 2022 Breach Incident #402
Description
Related: urql-graphql/urql#2927
Summary
Circle CI has reported that on December 22, 2022 attackers had access to their systems and were potentially able to extract stored data, encrypted at rest, and — more importantly — encryption keys from any running system. As far as I'm aware, this potentially affects any environment variable secret that is stored in Circle CI.
Procedure
As a safety precaution, I'd like to make sure we invalidate and rotate every secret that is stored in Circle CI that affects this repository.
We have no reason to believe any secrets were actually exposed or compromised just yet, but there's no excuse for us not to proactively rotate them.
Task
This repository is and has used Circle CI actively. The configuration file can be found here: https://github.com/urql-graphql/urql-devtools/blob/4e7f7f6366984595cd119788d05107b382dbaba6/.circleci/config.yml (Last updated: Mar 18, 2022)
The secrets listed in this file are:
CLIENT_SECRET(Chrome extension publishing secret)FIREFOX_API_SECRET(Firefox extension publishing secret)REFRESH_TOKEN(Chrome store API key)npm_TOKEN(HIGH RISK, npm publishing token)
Note: The good news here is that the extension stores' publishing process is "sluggish", meaning, that we have a bit of time to rotate the secrets. The npm token's origin and access is probably more worrying.
These secrets should be invalidated as soon as possible.