First LastPass, now Slack and CircleCI. The hacks go on (and will likely worsen)

new year, new hack disclosures —

Don’t expect victims to be forthcoming. Their alerts conceal more than they reveal.


Shot of a person looking at a hacking message on her monitor reading

In the past 24 hours, the world has learned of serious breaches hitting chat service Slack and software testing and delivery company CircleCI, though giving the companies’ opaque wording—“security issue” and “security incident,” respectively—you’d be forgiven for thinking these events were minor.

The compromises—in Slack’s case, the theft of employee token credentials and for CircleCI, the possible exposure of all customer secrets it stores—come two weeks after password manager LastPass disclosed its own security failure: the theft of customers’ password vaults containing sensitive data in both encrypted and clear text form. It’s not clear if all three breaches are related, but that’s certainly a possibility.

The most concerning of the two new breaches is the one hitting CircleCI. On Wednesday evening, the company reported a “security incident” that prompted it to advise customers to rotate “all secrets” they store on the service. The alert also informed customers that it had invalidated their Project API tokens, an event requiring them to go through the hassle of replacing them.

CircleCI says it’s used by more than 1 million developers in support of 30,000 organizations and runs nearly 1 million daily jobs. The potential exposure of all those secrets—which could be login credentials, access tokens, and who knows what else—could prove disastrous for the security of the entire Internet.

A lack of transparency

CircleCI is still tight-lipped about precisely what happened. Its advisory never used the words “breach,” “compromise,” or “intrusion,” but that’s almost certainly what happened. Exhibit A is the statement: “At this point, we are confident that there are no unauthorized actors active in our systems,” suggesting that network intruders were active earlier. Exhibit B: the advice that customers check internal logs for unauthorized access between December 21 and January 4.

Taking the statements together, it’s not a stretch to suspect threat actors were active inside CircleCI’s systems for two weeks. That’s plenty of time to collect an unimaginable amount of some of the industry’s most sensitive data.

Slack’s advisory, meanwhile, is similarly opaque. It’s dated December 31, but the Internet Archives didn’t see it until Thursday, five days later. It’s clear Slack wasn’t in a hurry for the event to become widely known.

Like the CircleCI disclosure, the Slack alert also steers clear of concrete language and instead uses the passive phrase “were stolen and misused” without saying how. Adding to the lack of forthrightness: The company embedded the HTML tag in the post in an attempt to prevent search engines from indexing the alert.

After obtaining the Slack employee tokens, the threat actor misused them to gain access to the company’s external GitHub account. From there, the intruders downloaded private code repositories. The advisory stresses that its customers weren’t affected and that “the threat actor did not access other areas of Slack’s environment, including the production environment, and they did not access other Slack resources or customer data.”

Customers should take the statement with a generous helping of brine. Remember the LastPass advisory from August? It, too, used the opaque phrase “security incident” and said “no customer data was accessed,” only to reveal the true extent on the last major business day of 2022. It wouldn’t be surprising if Slack or CircleCI updated its advisories to disclose further access to customer data or more sensitive parts of their networks.

Hacking the supply chain

It’s possible, too, that some or all of these breaches are related. The Internet relies on a massive ecosystem of content delivery networks, authentication services, software development tool makers, and other companies. Threat actors frequently hack one company and use the data or access they obtain to breach that company’s customers or partners.

That was the case with the August breach of security provider Twilio that led to the compromise of Okta, Signal, DoorDash, and more than 130 other companies.

Something similar played out in the last days of 2020 when hackers compromised Solar Winds, gained control of its software build system, and used it to infect roughly 40 Solar Winds customers.

For now, people should brace themselves for additional disclosures from companies they rely on. Checking internal system logs for suspicious entries, turning on multifactor authentication, and patching network systems are always good ideas, but given the current events, those precautions should be expedited. It’s also worth checking logs for any contact with the IP address 54.145.167.181, which one security practitioner said was connected to the CircleCI breach.

People should also remember that despite companies’ assurances of transparency, their terse, carefully worded disclosures are designed to conceal more than they reveal.

Read More
Dan Goodin

Latest

Will Spain keep finding a way? Re-ranking the World Cup teams with six games remaining – The Athletic – The New York Times

Forty-eight teams started these World Cup finals a month ago — now only six remain. Tomorrow that will be whittled down to a final four. Morocco became the first quarter-finalists to be knocked out, losing 2-0 to the seemingly unstoppable France on Thursday, before brave Belgium finally succumbed to Spain in Los Angeles on Friday

Erling Haaland is Norway’s World Cup machine — and the internet’s ‘babygirl’ – AP News

Erling Haaland stands at 6 feet, 5 inches, an intimidating force who can make fellow soccer players look tiny in stature and talent. Scoring seven goals across four World Cup matches entering Saturday, the Norwegian player has been described as a machine. But if you ask some loyal new fans, he’s also a babygirl and

Woody Marks and 5 fantasy football sleepers trending toward a much bigger role

One way to get an edge in fantasy football? By keeping a close eye on offseason chatter. Which players are impressing reporters in OTAs? Which roster battles could go a different way than the average fan expects? Which rookie is going to end up rocketing up draft boards by August? These five players are fairly

Matt Miller Announces Indefinite Leave From ESPN Amid Investigation Over Alleged Fantasy Football Fraud

On June 23, ESPN NFL Draft analyst Matt Miller revealed that he was in a car crash and was brutally injured. The accident nearly caused him to lose his life, as his arm had to be amputated to keep him alive. Now that he is making his way back after a drastic change, Miller announced

Newsletter

Don't miss

Will Spain keep finding a way? Re-ranking the World Cup teams with six games remaining – The Athletic – The New York Times

Forty-eight teams started these World Cup finals a month ago — now only six remain. Tomorrow that will be whittled down to a final four. Morocco became the first quarter-finalists to be knocked out, losing 2-0 to the seemingly unstoppable France on Thursday, before brave Belgium finally succumbed to Spain in Los Angeles on Friday

Erling Haaland is Norway’s World Cup machine — and the internet’s ‘babygirl’ – AP News

Erling Haaland stands at 6 feet, 5 inches, an intimidating force who can make fellow soccer players look tiny in stature and talent. Scoring seven goals across four World Cup matches entering Saturday, the Norwegian player has been described as a machine. But if you ask some loyal new fans, he’s also a babygirl and

Woody Marks and 5 fantasy football sleepers trending toward a much bigger role

One way to get an edge in fantasy football? By keeping a close eye on offseason chatter. Which players are impressing reporters in OTAs? Which roster battles could go a different way than the average fan expects? Which rookie is going to end up rocketing up draft boards by August? These five players are fairly

Matt Miller Announces Indefinite Leave From ESPN Amid Investigation Over Alleged Fantasy Football Fraud

On June 23, ESPN NFL Draft analyst Matt Miller revealed that he was in a car crash and was brutally injured. The accident nearly caused him to lose his life, as his arm had to be amputated to keep him alive. Now that he is making his way back after a drastic change, Miller announced

Garrett Nussmeier’s QB Brother Receives Upsetting News on Football Career

Colton Nussmeier has run out of options to fix his eligibility for 2026. On July 9, the UIL State Executive Committee voted 4–1 to reject his appeal, a decision first shared by 247Sports’ Mike Roach. With that, his plan to play his senior season at Denton Ryan is over. The door at his old school

Breitbart Business Digest: Stacking Those $250 Trump Bills

Weekly Wrap: Making It Rain with Trump Bills Welcome back to Friday! This is the Breitbart Business Digest weekly wrap, our septidialogic sweep through the economic and financial news. This week the economy failed to get indigestion from the high price of gas, Treasury Secretary Scott Bessent told us about getting fed at the Fed, Trump

Business seminar in Munich highlights Hong Kong’s strategic roles amidst global shifts (with photos)

Business seminar in Munich highlights Hong Kong's strategic roles amidst global shifts (with photos) ******************************************************************************************      The Hong Kong Economic and Trade Office, Berlin (HKETO Berlin), promoted Hong Kong's unique advantages and strategic roles at the seminar "Hong Kong's strategic role amidst geopolitical tensions" on June 18 (Munich time) in Munich, Germany.             Senior executives, investors

AI for business services: From job fears to productivity

AI for business services: From job fears to productivity