CircleCI

Passwords, Private Keys and Secrets have been compromised. Customers are advised to rotate their credentials. https://techcrunch.com/2023/01/05/circleci-breach/

This is huge adminisrative and financial overhead for the customer. Rotating keys (especially private keys) is a huge pain. Sometimes this is not even possible (e.g. when the key is used for signing). When a signing key has been compromised:

  1. the old siging key has to be revoked
  2. a new signing key has to be generated
  3. the new signing key has to be distributed to all clients Embedded devices are especially vulnerable to this kind of attack. They often have no way of updating the signing key (if no backup signing key has been deployed initially). The only way to fix this is to replace the device.