[CircleCI Security Alert] Rotate any secrets stored in CircleCI

After revoking CircleCI access from BitBucket and re-authorising via signing back in to CircleCI using my BitBucket ID, I am no longer able to see my organisation - the ‘Connect’ button doesn’t even appear on the User Settings / Account Authorisations page. Id there something else that needs to be done to re-connect? (Yes, I have refreshed permissions, cleared cookies and logged in via a virgin browser…)

1 Like

Hi @scottatwinr, just to confirm are you on the account integrations section of the User Settings? https://app.circleci.com/settings/user - when I’ve looked to reproduce this by revoking on BB side and navigating back to the user settings page I am still seeing the Bitbucket section with the connect section. What do you see for BitBucket if you navigate to https://app.circleci.com/projects/connect-vcs/?create-new-organization? If you’d like to troubleshoot further, please write into support@circleci.com or submit a ticket through https://support.circleci.com/hc/en-us. Thanks!

FYI the blog post has been updated with additional information:

So the process I have to follow for this is:

  1. Get a list of users who have granted CircleCI Github access: (No idea how to do this)
  2. Tell all of those users to Revoke and Reauthorize
  3. Request audit logs from CircleCI
  4. Manually review audit logs to ensure all users from 1 revoked access…

There has to be a better way to do this @CircleCI

Thank you Circle team for the fast work today! We’re appreciating the new tool for discovering secrets.

It looks like that tool (and similar community scripts) can only access project and context environment variables, based on the capabilities of the underlying Circle API. However, one of the other primary recommendations is to rotate Project API tokens. This only appears to only be possible through the per-project UI. For organizations with hundreds of projects, this could be error-prone and hard to audit.

Do you have any recommendations for programmatically discovering Project-level API tokens?


1 Like

Can CircleCI automatically revoke all OAuth tokens forcing a new login without us having to ask hundreds or perhaps even thousands of users to do so manually?


Are secrets from projects or organizations hard- or soft-deleted? If the latter, could the threat actor have accessed them? How do we get a list of secrets that were in the system? Thank you.

A coworker and I are in the same boat as @scottatwinr: after revoking the CircleCI app authorization in Bitbucket, then signing back in, we’re unable to see the Bitbucket organization, and there’s no option to Connect in the user settings. The page you asked him to confirm is the one we’re trying. (I also previously had a GitHub connection, and that did work. I tried removing both, then signing in with Bitbucket alone to no avail, and did the same refresh/clear/incognito steps Scott mentioned above. My Bitbucket-only coworker has no ability to see any organizations or projects at all.)

I tried connecting through https://app.circleci.com/projects/connect-vcs/?create-new-organization as suggested, but that asks me to verify my email and results in a modal that says “Verification email failed to send.” Based on what appears in the console upon submission, that possibly appears to be due to a CORS error:

(Additionally, mine tried to send that email to the personal Gmail account tied to my connected GitHub account, rather than the work email that’s tied to my Bitbucket account. My coworker with only Bitbucket had the correct email address, but got the same error message.)

I’ve already logged a support ticket (#124615), but wanted to post here as well in case it helps more of us get it resolved more efficiently. Thank you!

EDIT: Just wanted to follow up here—a support engineer replied to my ticket and manually disconnected the link between CircleCI and my Bitbucket & GitHub accounts. From there, I was able to reauthenticate to Bitbucket, connect my account back to GitHub, and follow projects again.

I’m the aforementioned coworker. Here’s what I see:

1 Like

As an organization, the logistical cost of having all our developers revoke their OAuth tokens individually seems CRAZY costly. Is there no good solution for this?

What can a threat actor do with said tokens? The scopes granted in GitHub lists Full control of private repositories and Access user email addresses (read-only) so it’s probably as bad as it sounds, but wouldn’t they also need CircleCI’s client_id and client_secret to use them?

Have those been leaked too? Can’t CircleCI just reset their client_secret?? Why hasn’t CircleCI done this already?

Same goes for Personal API Tokens but perhaps those are more managable. I think CircleCI needs to provide organization admins with a list of users with PATs registered in CircleCI so we can track them down.


AWS OIDC started to fail for all our projects/AWS accounts, about half an hour ago, with the following error:

An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Token signature invalid

We are using the official circleci/aws-cli orb.

I assume this is somehow related to the incident?



This is failing all our builds

Anyone getting an empty project page from the dashboard? and getting this blurb if you drill into a specific project…?

Something Unexpected Happened
This is certainly annoying, our apologies. Maybe a refresh would help.

# this shows up in the console...
Rollbar: Error: Received a 401 from fetchAPIProject.

EDIT: it’s back… for now, for a second the reload shows multiple 401 errors…

We are getting oidc connect error for all our projects. Do we need to update the thumbprint used in the Identity provider, please let us know. This is causing a lot of disruption.

is it working for you now? Any work around you found?

Some organizations store API keys, e.g. AWS ones, in the project variables in CircleCI. Is it better in such case to to invalidate them for the first because it could be already compromised? Simple rotating in CircleCI can not invalidate them.

Yes credentials should be rolled in full - invalidated/reissued at source, and updated in CircleCI @circleci-user1

1 Like

@MrAtheist there was a fairly short lived incident hitting (specifically) the UI. This is now resolved as per https://status.circleci.com/

What about the OIDC issue others are also mentioning? Is this something on your side, or something that requires action on our side? We’re currently unable to run any pipelines as AWS is complaining about the CIRCLE_OIDC_TOKEN signature:

An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Token signature invalid