In December 2022 (disclosed 4 January 2023), CircleCI — a widely-used CI/CD platform with over 500,000 developer users — discovered that an attacker had stolen customer environment variables, tokens, and keys. The attack was enabled by malware on a CircleCI engineer’s laptop that stole the engineer’s SSO session cookie, bypassing 2FA. The stolen session was used to access and exfiltrate CircleCI’s customer secrets stored in their pipeline configuration. CircleCI stores environment variables that developers set in their CI/CD pipelines — these often contain cloud provider API keys, database credentials, SSH keys, and other sensitive secrets. All CircleCI customers were advised to rotate any secrets stored in CircleCI immediately. Some customers received alerts from GitHub, AWS, and other services about suspicious use of their credentials in the days surrounding the disclosure. GitHub notified customers of potentially compromised OAuth tokens. CircleCI’s investigation determined the attacker had access to some customer data during the period of 16 December 2022 to 4 January 2023. All customer environment variables on the CircleCI platform were encrypted at rest with per-customer encryption keys — however, the attacker obtained both the encrypted data and the decryption keys from production. The incident highlighted how CI/CD platforms are a prime target for credential theft given the concentration of secrets they store.