I notice that Docker Hub has been compromised (https://news.ycombinator.com/item?id=19763413)
CircleCI publishes a number of containers to Docker Hub such as the CircleCI MySQL image, and I notice that they’ve been updated during the likely breach period and I don’t see any matching announcement in https://discuss.circleci.com/c/announcements/l/latest
Also, there’s no matching commits that should trigger a new image that I can see within Github.
Just wanted to find out whether members of your organisation with push access to Docker were affected by the breach and where the image changes have come from.
The Github repo is at https://github.com/circleci/circleci-images/commits/staging - I was unable to post more than two links in my first post because it’s the first time I’ve used the forum.
Example Docker images are at https://hub.docker.com/r/circleci/mysql
Thank you for reaching out about this important issue. I don’t believe there is anything to be concerned about at the moment. Our Docker images are built fresh every 24 hours so they’ve already been built from scratch since the Docker Hub incident.
That being said, our Security Team will look into this to ensure that everything on our end is indeed safe and nothing malicious has occurred do to the upstream incident.