CircleCI Session Token Breach (2023)

Summary

On January 4, 2023, CircleCI disclosed that an unauthorized third party had stolen a CircleCI engineer's authenticated session token via malware on the engineer's laptop. The token bypassed 2FA because it represented an already-authenticated session. With it, the attacker accessed and exfiltrated data including customer environment variables, tokens, and keys. CircleCI advised every customer to rotate every secret stored in the platform.

Timeline

• 2022-12-16 — Malware deployed on a CircleCI engineer's laptop; the system's antivirus did not detect it. The malware harvested an authenticated SSO session token.
• 2022-12-19 → 2023-01-04 — Attacker uses the stolen session to access internal CircleCI systems and exfiltrate a subset of customer data.
• 2023-01-04 — CircleCI publicly discloses the incident and instructs all customers to rotate every secret stored in CircleCI.
• 2023-01-13 — CircleCI publishes its full incident report.

Attack Vector

Three properties of the attack are worth calling out:

1. The initial vector was endpoint malware, not an exploit against CircleCI's own infrastructure. The compromised engineer's laptop ran an antivirus product that did not detect the malware.
2. 2FA was bypassed via session token theft, not by phishing the second factor. The session token represented an SSO-authenticated session and granted the attacker the engineer's existing access to internal production systems.
3. The blast radius was every secret stored on the platform, because CircleCI engineers with production access can reach customer data — by design, for support and reliability use cases.

Tokens & Credentials Exposed

CircleCI's guidance instructed customers to rotate, at minimum:

• Every project environment variable
• Every context variable
• Every Project API token issued before January 4, 2023
• All Personal API tokens
• All third-party tokens stored as environment variables (AWS, GitHub, npm, etc.)

Because CircleCI environments commonly hold AWS deploy keys, GitHub PATs with private-repo access, npm publish tokens, and OAuth tokens to deployment platforms (Vercel, Netlify, Heroku), the practical exposure surface is identical to the Codecov 2021 incident in shape — the entire credential graph that downstream pipelines depend on.

Confirmed Impact

• Encryption key theft: CircleCI's incident report confirmed the attacker accessed an encryption key from a running process, allowing decryption of some customer data at rest.
• Targeted exfiltration: A subset of customers' encrypted secrets were exfiltrated.
• Downstream rotation events: Every CircleCI customer that took the guidance seriously had to rotate cloud, source control, and third-party credentials platform-wide.

CircleCI did not publicly enumerate which specific customers had data exfiltrated, instead instructing all customers to rotate as a precaution.

Mitigation & Lessons

The structural lessons:

• Session token theft trumps 2FA. A stolen session token is post-authentication credential material. Treat session lifetime and binding (IP, device fingerprint, hardware key) as a primary control, not an afterthought.
• CI/CD platform credentials are platform-equivalent. Whatever you store in your CI/CD platform's environment variable store has the same blast radius as if you posted it to that platform's main login page.
• Rotation needs to be a regular drill, not a fire drill. Customers without an inventory of their CircleCI-resident credentials spent days reconstructing it after January 4. The cost of "rotate everything" is bounded only by how well you know what "everything" is.

Cremit Analysis

Like Codecov 2021, this is a textbook unattributed-key incident. The technical compromise was almost trivial — endpoint malware, session token theft — but the response cost across thousands of customer organizations was enormous because nobody had an authoritative list of which credentials lived in CircleCI, what they reached, and which to rotate first.

The NHI Severity Index score of 8.6 reflects ecosystem-wide blast radius (any CircleCI customer), production reachability, and variable privilege depending on the customer's setup.

The generalizable lesson — and the one that links Codecov 2021, CircleCI 2023, and the 2026 supply chain wave — is that CI/CD platforms are NHI concentrators. They aggregate credentials from across the customer's entire cloud and SaaS footprint. A compromise of the platform is, by definition, a compromise of every secret the platform holds.