Skip to Content

Hackers Compromised CircleCI Engineer’s Laptop to Gain Elevated Privileges

CircleCI has disclosed that a laptop belonging to one of its engineers was compromised in mid-December. The attackers used data-stealing malware that allowed them to obtain elevated privileges within CircleCI’s systems. CircleCI became aware of suspicious activity on December 29, conducted an investigation, and disclosed the breach on January 4.


  • I appreciate CircleCI being transparent and helping us all learn. When using CI/CD tools, there is no way around entrusting them with some form of credentials. Make sure to keep those credentials ephemeral and rotate them frequently.
  • Good example of a targeted attack that went after an employee with privileges to generate production access tokens. The CircleCI actions taken also point out the risks of too many employees being given production access and the risks that SSO approaches bring, even when multifactor authentication is used for initial authentication.
  • Well done to CircleCI for being so transparent in their incident report. This is a great reminder that security has to be seen as a holistic challenge rather than focusing on just one area within an organization. Too often I see companies thinking that their production systems in the cloud are secure and therefore they need not worry as much about other parts of their infrastructure, in particular the end points. You need to identify every possible route a compromise can take and secure it accordingly. I will be keeping this report to hand for future client engagements who tell me they don’t need to worry about their developers’ devices as the production environment is secure.
  • Kudos to CircleCI for their transparency. Be aware of your “weakest links.” While there is no such thing as perfect security, it is possible to implement many measures to reduce risks, to include modern EDR, MFA, MDM, and logging. With the change of the perimeter, due to efforts such as Cloud and ZTA, make sure that endpoints are hardened and defenses enabled. Where you are using long lived credentials, make sure that you can rapidly change them in the event of a breach. Verify controls are in place, and are not bypassed, regularly.
  • Theft of user credentials, especially elevated privileges, is the ‘holy grail’ for cyber criminals. It allows easy system access and with elevated privileges, ease in traversing the enterprise. Interestingly, both multi-factor authentication (MFA) and data encryption defenses were employed by CircleCI but were ultimately compromised. This indicates that the adversary was highly skilled to both bypass the additional authentication method and separately, recover ‘running’ encryption keys. Organizations should revisit their configuration of MFA to protect against credential harvesting attacks.


Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.