In response to recent news related to compromised login credentials across the internet, we wanted to share how CircleCI keeps your accounts secure and what to do if you think your credentials have been compromised.
*An investigation into recent breach announcements confirmed that CircleCI’s systems were not compromised. If you have reused credentials for CircleCI and other systems, we recommend resetting your password out of an abundance of caution. Users whose credentials may be affected have been notified via email.
Breached credential monitoring
CircleCI user login credentials are actively monitored for inclusion in publicly available lists. Credentials that are known to be compromised cannot be used to sign up for or log in to a CircleCI account, nor can a compromised password be used as a new password during a password reset.
Password resets
CircleCI may automatically reset your password if we detect or receive reports that your login credentials have been exposed in external locations, such as:
- Public code repositories where credentials were accidentally committed
- Third-party data breaches
- Public logs or documentation containing credentials
- Security research reports
Users whose passwords have been reset are notified via email with instructions for how to restore access to their account.
Security Best Practices
- Never commit credentials to version control
- Use context environment variables for sensitive configurations
- Enable two-factor authentication
- Use unique, strong passwords for all accounts
- Monitor for accidental credential exposure
CircleCI Security Team