The post says "If you stored secrets on our platform during this time period, assume they have been accessed" so I'm guess self-hosted customers weren't impacted.
The method of attack sounds like CircleCI's production cloud (probably AWS) was impacted - "the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys."
But I am surprised that their SOC2 auditors didn't raise exceptions about their lack of controls. Sounds like a pretty immature program, they only talk about 2FA, MDM and SSO which is basic stuff. Where is the SIEM? Or CSPM? Or any alerting!? Yes there are SOC2 automation platforms out there that rubber stamp stuff, but at CircleCI's scale I'd expect more scrutiny.
The method of attack sounds like CircleCI's production cloud (probably AWS) was impacted - "the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys."
But I am surprised that their SOC2 auditors didn't raise exceptions about their lack of controls. Sounds like a pretty immature program, they only talk about 2FA, MDM and SSO which is basic stuff. Where is the SIEM? Or CSPM? Or any alerting!? Yes there are SOC2 automation platforms out there that rubber stamp stuff, but at CircleCI's scale I'd expect more scrutiny.