On October 29, 2013, CircleCI was notified by their database provider, MongoHQ, that their systems had been compromised. CircleCI later confirmed that their MongoDB instance was among those accessed by attackers. The unauthorized access to CircleCI’s database occurred late at night UTC on October 27, 2013.

The breach of MongoHQ’s systems led to the potential exposure of sensitive customer data stored in CircleCI’s database. This included GitHub OAuth tokens, Heroku API tokens, AWS IAM keys, and SSH deploy/user keys. Although there was no immediate evidence of exploitation, CircleCI took immediate preventative measures to protect user data.

CircleCI’s response began on October 29th, starting with shutting down their website and all builds to contain potential risk. They initiated a process to revoke all accessible API tokens and SSH keys. This involved contacting GitHub, Heroku, and Amazon to revoke customer-related tokens and keys.

By October 30th, CircleCI had completed the revocation of GitHub OAuth tokens, SSH deploy/user keys, and Heroku API tokens. They also cycled all their own keys and deleted caches. Users were advised to secure their systems accessible by SSH keys or API tokens stored in CircleCI, and to validate their applications and code for alterations.