I got one at 9:31pm Eastern Time last night (Jan 4, 2022):
here's what it said:
We wanted to make you aware that we are currently investigating a security incident, and that our investigation is ongoing. We will provide you updates about this incident, and our response, as they become available. At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well.
Action request:
Out of an abundance of caution, we strongly recommend that all customers take the following actions:
- Immediately rotate any and all secrets stored in CircleCI. These may be stored in project environment variables or in contexts.
- We also recommend customers review internal logs for their systems for any unauthorized access starting from December 21, 2022 through today, January 4, 2023, or upon completion of your secrets rotation.
Additionally, if your project uses Project API tokens, we have invalidated those and you will need to replace them. You can find more information on how to do that in our documentation here.
We apologize for any disruption to your work. We take the security of our systems and our customers’ systems extremely seriously. While we are actively investigating this incident, we are committed to sharing more details with customers in the coming days.
Thank you for your urgent attention to rotating your secrets.
Yes, this is well known, they had a major breach earlier in 2022 that apparently leaked all of their Github tokens. This happened almost simultaneously to the Heroku leak and is thought to be connected to it. From OP's link, it sounds like they had another one recently—maybe another group re-using the first vulnerability?
1. Slack
2. Okta (https://news.ycombinator.com/item?id=34081154)
3. Coa (https://github.com/veged/coa/issues/99#issuecomment-96169688...)