Security Incident Resolved

🔒 Security Incident – API Key Leak via Contractor (Resolved)

Incident Date: July 15, 2025

Published: August 28, 2025

---

Summary

On July 15, 2025, we discovered a security incident involving a leaked Stripe API key. The key was unintentionally exposed due to a misconfigured environment used by a third-party contractor during a short-term engagement.

The key was misused to attempt unauthorized charges via stored Stripe tokens. Importantly, no payment card details, login credentials, chat data, or uploaded content were accessed or exposed.

We took immediate action to revoke access, audit the incident, and notify affected users.

---

Impact

• 3 customers were affected
  
• All unauthorized transactions were reversed
  
• No service downtime or data loss occurred
  
• No sensitive personal data was compromised

---

Response & Communication

• Affected users were notified promptly after detection
  
• Routine status updates were provided to those impacted
  
• Refunds and account protections were applied proactively

---

Root Cause

The incident was caused by a development .env file containing a Stripe secret key that was present in a cloned repository accessed by a contractor. Their local environment did not have proper isolation or secret management in place.

---

Remediation Actions

• Stripe keys immediately revoked and rotated
  
• Contractor access terminated
  
• Full audit of Git repositories and infrastructure conducted
  
• Secrets moved to AWS Secrets Manager
  
• Enforced scoped permissions, 2FA, and IP whitelisting
  
• Stripe anomaly alerts and monitoring rules implemented

---

Current Status

✅ The incident is fully resolved and closed.

We’ve introduced stronger vetting and isolation policies for contractors, enforced stricter access management, and hardened our billing infrastructure.

If you have any questions, please contact us at support@calstudio.com.

Aditya Saxena
Founder, CalStudio.com