Google allows custom JS injection via Tag manager, so there are possible vectors, even if only access to 3rd party site was stolen. Of course I have no idea what was the deal here.
It's worth noting, that CircleCI did nothing to address issues raised in the linked post. Their main app still loads tons of third party analytics garbage for e.g. Google, Hotjar, Amplitude and even Facebook of all people. I do block all those, but as someone pointed out it's not a solution and cant even be reliable at all times.
Please bear in mind, that CircleCI not only has access to private repositories. More often then not they do store private SSH keys to your production servers.
Google allows custom JS injection via Tag manager, so there are possible vectors, even if only access to 3rd party site was stolen. Of course I have no idea what was the deal here.
It's worth noting, that CircleCI did nothing to address issues raised in the linked post. Their main app still loads tons of third party analytics garbage for e.g. Google, Hotjar, Amplitude and even Facebook of all people. I do block all those, but as someone pointed out it's not a solution and cant even be reliable at all times.
Please bear in mind, that CircleCI not only has access to private repositories. More often then not they do store private SSH keys to your production servers.