CircleCI engineers identified a bug late Friday afternoon affecting open-source projects that allow building pull requests. By default, the fork pull request builds got passed any environment variables the parent repo is configured with, despite claims in the project settings.
An engineer patched the issue Friday for the SaaS product and released an Enterprise version Saturday.
The issue affected a small subset of users, each of which was personally notified Saturday so project administrators had time to rotate credentials ahead of this public disclosure. If you didn't received an email, this disclosure does not affect you. You can also double check fork pull request behavior under the "Advanced Settings" section in projects.
There is no evidence of lost data or known malicious behavior as a result of the issue.