Shot of a person looking at a hacking message on her monitor reading

In the past 24 hours, the world has learned of serious breeches hitting chat service Slack and software testing and delivery company CircleCI, though giving the companies' opaque wording, "security issue" and "security incident", respectively, you'd be forgiven for thinking these events were insignificant.

The compromises—in Slack’s case, the theft of employee token credentials and for CircleCI, the possible exposure of all customer secrets it stores—come two weeks after password manager LastPass disclosed its own security failure: the theft of customers’ password vaults containing sensitive data in both encrypted and clear text form. It’s not clear if all three breaches are related, but that’s certainly a possibility.

CircleCI is the most concerning of the two new breeches. On Wednesday evening, the company reported a "security incident" that prompted it to advise customers to change their passwords. The alert told customers that they had to go through the hassle of replacing their ProjectAPI token after it was invalidated.

CircleCI says it is used by more than one million developers in support of 30,000 organizations. It could be disastrous for the security of the internet if all those secrets are exposed.

A lack of transparency

CircleCI isn't saying much about what happened. It never used the words "breach", "compromise", or "intrusion", but that's almost definitely what happened. According to the statement, there are no unauthorized actors active in our systems. Customers are advised to check internal logs for unauthorized access after December 21.

Threat actors were active inside CircleCI's systems for a couple of weeks. There is a lot of time to collect some of the most sensitive data.

Advertisement

The advisory from Slack is similar. The internet archives did not see it until five days later. The event was not in a hurry for it to be well known.

Like CircleCI's disclosure, the Slack alert steers clear of concrete language and instead uses a passive phrase, "were stolen and misuse." Adding to the lack of honesty is the company's attempt to prevent search engines from reading the alert.

The threat actor used the employee token to gain access to the company's account. Private code repositories were downloaded from there by the invaders. The threat actor did not have access to other areas of the environment, including the production environment, and they did not have access to customer data.

The statement should be taken with a generous amount of brine. There was a LastPass advisory in August. The true extent of the security incident was revealed on the last day of the year. More access to customer data or more sensitive parts of their networks is likely to be disclosed in the new advisories.

Hacking the supply chain

It is1-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-6556 is1-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-6556 The internet relies on a lot of companies. Threat actors often hack one company and use the data or access they get to break into another company's customers or partners.

The August breach of security provider Twilio resulted in the compromise of more than 130 other companies.

Something similar played out in the last days of 2020 when hackers compromised Solar Winds, gained control of its software build system, and used it to infect roughly 40 Solar Winds customers.

People should be prepared for more disclosures from companies they depend on. It's always good to check internal system logs for suspicious entries, but given the current events, those precautions should be expedited. It is important to check the logs for any contact with the address 54.145.167.181, which one security professional said was connected to the CircleCI breach.

The terse, carefully worded disclosures that companies make are designed to hide more than they reveal.