back to article Today's data whoopsie is brought to you by CircleCI: Source safe, but look out for phishers

Software testing and delivery company CircleCI has apologised for exposing user data to the world and its dog. The company blamed a third-party analytics provider for the leak, which it was told about at the end of August. CircleCI is a continuous integration/continuous delivery software pipeline for Microsoft, Linux, Docker …

  1. Pascal Monett Silver badge

    "a third-party analytics provider"

    Well that's just fine and dandy, isn't it ? A 3rd-party is responsible. But of course, it's not your fault that you couldn't be arsed to keep the job in-house. On the contrary, you went 3rd-party because that gives you plausible deniability.

    It does not. You should have vetted your 3rd party better.

    It's still your fault.

  2. cdrcat

    Insecure third-party scripts

    They haven't locked down their web app JavaScript includes: Facebook, Hotjar, Amplitude, Google, and others have access to your production SSL keys, code, passwords, etc.

    It's a quick smell test for whether a company actually cares about security: what third-party scripts are included in their "secure" web page areas. The default web developer doesn't know better, and it is hard to lock down third parties (best solution is to avoid unnecessary third-party shit like analytics, also can use iframes or more complex solutions like caja).

    This guy asked them about this issue 2 years ago, and apparently they haven't done anything much about it which signals CircleCI's security is poor:

    1. cdrcat

      Re: Insecure third-party scripts

      It's possible the third party was Segment which has also just notified of a breach -

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon