new year, new hack disclosures —

First LastPass, now Slack and CircleCI. The hacks go on (and will likely worsen)

Don't expect victims to be forthcoming. Their alerts conceal more than they reveal.

Shot of a person looking at a hacking message on her monitor reading

In the past 24 hours, the world has learned of serious breaches hitting chat service Slack and software testing and delivery company CircleCI, though giving the companies' opaque wording—“security issue” and “security incident,” respectively—you'd be forgiven for thinking these events were minor.

The compromises—in Slack’s case, the theft of employee token credentials and for CircleCI, the possible exposure of all customer secrets it stores—come two weeks after password manager LastPass disclosed its own security failure: the theft of customers’ password vaults containing sensitive data in both encrypted and clear text form. It’s not clear if all three breaches are related, but that’s certainly a possibility.

The most concerning of the two new breaches is the one hitting CircleCI. On Wednesday evening, the company reported a “security incident” that prompted it to advise customers to rotate “all secrets” they store on the service. The alert also informed customers that it had invalidated their Project API tokens, an event requiring them to go through the hassle of replacing them.

CircleCI says it’s used by more than 1 million developers in support of 30,000 organizations and runs nearly 1 million daily jobs. The potential exposure of all those secrets—which could be login credentials, access tokens, and who knows what else—could prove disastrous for the security of the entire Internet.

A lack of transparency

CircleCI is still tight-lipped about precisely what happened. Its advisory never used the words “breach,” “compromise,” or “intrusion,” but that’s almost certainly what happened. Exhibit A is the statement: “At this point, we are confident that there are no unauthorized actors active in our systems,” suggesting that network intruders were active earlier. Exhibit B: the advice that customers check internal logs for unauthorized access between December 21 and January 4.

Taking the statements together, it’s not a stretch to suspect threat actors were active inside CircleCI’s systems for two weeks. That’s plenty of time to collect an unimaginable amount of some of the industry’s most sensitive data.

Slack’s advisory, meanwhile, is similarly opaque. It’s dated December 31, but the Internet Archives didn’t see it until Thursday, five days later. It’s clear Slack wasn’t in a hurry for the event to become widely known.

Like the CircleCI disclosure, the Slack alert also steers clear of concrete language and instead uses the passive phrase “were stolen and misused” without saying how. Adding to the lack of forthrightness: The company embedded the HTML tag in the post in an attempt to prevent search engines from indexing the alert.

After obtaining the Slack employee tokens, the threat actor misused them to gain access to the company’s external GitHub account. From there, the intruders downloaded private code repositories. The advisory stresses that its customers weren’t affected and that “the threat actor did not access other areas of Slack’s environment, including the production environment, and they did not access other Slack resources or customer data.”

Customers should take the statement with a generous helping of brine. Remember the LastPass advisory from August? It, too, used the opaque phrase “security incident” and said “no customer data was accessed,” only to reveal the true extent on the last major business day of 2022. It wouldn’t be surprising if Slack or CircleCI updated its advisories to disclose further access to customer data or more sensitive parts of their networks.

Hacking the supply chain

It’s possible, too, that some or all of these breaches are related. The Internet relies on a massive ecosystem of content delivery networks, authentication services, software development tool makers, and other companies. Threat actors frequently hack one company and use the data or access they obtain to breach that company's customers or partners.

That was the case with the August breach of security provider Twilio. The same threat actor targeted 136 other companies.

Something similar played out in the last days of 2020 when hackers compromised Solar Winds, gained control of its software build system, and used it to infect roughly 40 Solar Winds customers.

For now, people should brace themselves for additional disclosures from companies they rely on. Checking internal system logs for suspicious entries, turning on multifactor authentication, and patching network systems are always good ideas, but given the current events, those precautions should be expedited. It’s also worth checking logs for any contact with the IP address 54.145.167.181, which one security practitioner said was connected to the CircleCI breach.

People should also remember that despite companies’ assurances of transparency, their terse, carefully worded disclosures are designed to conceal more than they reveal.

Channel Ars Technica