Circle Internet Services Inc., the provider of the software development and deployment platform, warned its users on Wednesday that it experienced a security breach over the holidays and urged them to rotate their secrets.

CircleCI is a continuous integration and delivery platform that is used by software developers, engineers, information technology teams and DevOps teams to accelerate the delivery of software using automation. The platform hosts more than a million users who rely on it for their projects.

In a blog post, CircleCI Chief Technology Officer Rob Zuber said the company is currently researching the incident. “At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well,” Zuber said.

While the investigation is ongoing, the company is asking users to change all of their secrets – including passwords, application programming interface keys or digital certificates – that might be embedded in their code, as well as anything that may be stored in environment variables or in development contexts.

All projects using API tokens to access or use CircleCI’s resources have also been invalidated as well and they will need to be replaced.

Because of the timing of the security breach, Zuber advised that users audit their logs for any unauthorized access between Dec. 21, 2022 and Jan. 4, 2023, or upon the completion of secrets rotation. That potentially means the breach happened just before the holidays.

CircleCI suffered a previous data breach in 2019 when a third-party vendor was breached and hackers stole user data, including user names and email addresses associated with GitHub and BitBucket. In November, the company also warned users about an uptick in phishing emails impersonating official CircleCI in order to trick users into giving up their account information so that attackers could gain access to their code repositories on GitHub.

The company has not revealed any further details about the incident, although Zuber said it’s still being actively investigated and more information will be revealed as it comes to light.

“We apologize for any disruption to your work,” Zuber said. “We take the security of our systems and our customers’ systems extremely seriously. While we are actively investigating this incident, we are committed to sharing more details with customers in the coming days.”

Image: CircleCI