CircleCI is working with Amazon Web Services to notify customers with AWS tokens that might have been impacted by the Jan. 4 security incident, according to an update Wednesday from Rob Zuber, CTO at CircleCI. The notices are going out via email
AWS began sending updates to customers with lists of tokens that may have been impacted, according to the blog post. CircleCI said it wants to help identify and revoke any keys that may have been affected by the security incident.
The emails do not indicate anyone gained access to AWS accounts,but are sent because there is a possibility the token stored in CircleCI was leaked, according to the blog.
“Our goal in working with AWS on this additional level of communication is to help customers more easily identify, revoke or rotate any potentially affected keys,” a CircleCI spokesperson said via email.
CircleCI said the AWS alert relates to the original Jan. 4 incident and that no new information has come to light. The company put out a tweet to reassure customers the information was not a sign of any additional threat.
CircleCI announced earlier this week that it would provide customers with an incident report on Jan. 17 to update them with additional details on the original security incident.
Zuber originally urged customers last week to rotate their secrets, saying it was investigating a security incident. However the original post did not provide any details about what happened.
Customers were warned not only to rotate secrets, but check internal logs for any unauthorized access dating back to Dec. 21. That day, Zuber updated customers about reliability issues plaguing the company last year, but officials said the security incident is not related to past issues. Any connection between the dates is sheer coincidence, the company said.