On March 22nd, 2022, CircleCI became aware of a security breach at Okta by the Lapsus$ group. Okta has confirmed that there was a breach which impacted 2.5% of their customers through a third party sub-processor. CircleCI was not impacted by this breach, which has been confirmed by Okta.
CircleCI uses Okta for internal employee identity and access management, though not for customer accounts. CircleCI uses Auth0, a company now owned by Okta, for allowing users to access CircleCI using a personal email address instead of their VCS provider login credential. Auth0 was not compromised as part of this incident.
When CircleCI was initially made aware of the breach, our security team performed a review of access logs and Okta administration settings. We confirmed there were no unauthorized access attempts made to CircleCI systems when awaiting additional details of the breach. We also confirmed that there were no improper account modifications made as part of the review process.
We will continue to monitor for updates from Okta and their customers that were impacted regarding this incident and post updates if necessary.