The sad part is, the damage this does to companies won't be felt for years (which is how long it'll take someone to take the stolen source code, analyze it, and make a convincingly-distinct clone), so companies will think that nothing came of this, and they'll keep using CircleCI (and other similar platforms which put everyone's eggs in the same basket, how appealing to hackers that must be).
I suspect the intruders would use the code to find vulnerabilities in other companies. Which they can use for easy ransomware access or straight up stealing customer data. Or both. Much less trouble than analysing and running someone else’s software.
Web software is incredibly simple. Having someone's ruby code doesn't really help you much. Hackers just try a few SQL injections, stuff script tags into all of the form fields, and call it a day. More advanced hacks on webapps are virtually unheard of. Certainly custom-designing a hack for some company isn't going to happen. It's a waste of time, because chances are you won't find some complicated hack that wasn't already exposed through the spamming techniques I mentioned above. And most larger, "worthwhile" companies tend to run their own in-house CI and not use Circle.
In this incident, the unauthorized actor exfiltrated customer information on December 22, 2022, which included environment variables, keys, and tokens for third-party systems.
A lot of production AWS/GCP keys are likely stolen for those that deploy from CI/CD.
