This is one of the reasons why we have shutdown our own CI solution. We didn't have enough manpower to develop the product, audit the whole stack and monitor against attacks.
CircleCI's response to the incident appear adequate. In the best case, their system was shutdown before any keys were compromised. If so, that level of monitoring is certainly better than what the average business would be able to roll on their own.
CircleCI's response to the incident appear adequate. In the best case, their system was shutdown before any keys were compromised. If so, that level of monitoring is certainly better than what the average business would be able to roll on their own.