You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ℹ️ Note: After a quick scan, I've determined that no user-affecting secrets have been stored in Circle CI. The environment variables stored there do not contain any npm credentials or anything else. This is purely an incident affecting infrastructure accounts for the documentation.
Summary
Circle CI has reported that on December 22, 2022 attackers had access to their systems and were potentially able to extract stored data, encrypted at rest, and — more importantly — encryption keys from any running system. As far as I'm aware, this potentially affects any environment variable secret that is stored in Circle CI.
Procedure
As a safety precaution, I'd like to make sure we invalidate and rotate every secret that was stored in Circle CI which affect this repository.
We have no reason to believe any secrets were actually exposed or compromised just yet, but there's no excuse for us not to proactively rotate them.
Task
This repository has not used Circle CI actively. As such, old secrets are contained within Circle CI that are only related to the urql documentation, specifically a restricted AWS key and a Surge API token.
The secrets listed on Circle CI are:
AWS_SECRET_ACCESS_KEY (For publishing production docs)
SURGE_TOKEN (For publishing staging/preview docs)
These secrets should be invalidated as soon as someone is available to do so.
There's less of an urgency to this than for urql-devtools as this affects no user machines.
See for Incident Report
Related: urql-graphql/urql-devtools#402
Summary
Circle CI has reported that on December 22, 2022 attackers had access to their systems and were potentially able to extract stored data, encrypted at rest, and — more importantly — encryption keys from any running system. As far as I'm aware, this potentially affects any environment variable secret that is stored in Circle CI.
Procedure
As a safety precaution, I'd like to make sure we invalidate and rotate every secret that was stored in Circle CI which affect this repository.
We have no reason to believe any secrets were actually exposed or compromised just yet, but there's no excuse for us not to proactively rotate them.
Task
This repository has not used Circle CI actively. As such, old secrets are contained within Circle CI that are only related to the urql documentation, specifically a restricted AWS key and a Surge API token.
The secrets listed on Circle CI are:
AWS_SECRET_ACCESS_KEY(For publishing production docs)SURGE_TOKEN(For publishing staging/preview docs)These secrets should be invalidated as soon as someone is available to do so.
There's less of an urgency to this than for
urql-devtoolsas this affects no user machines.cc @JoviDeCroock @gksander @ryan-roemer
The text was updated successfully, but these errors were encountered: