The use of long-lived credentials in CI/CD platforms is a significant security risk, as these credentials can be used to access multiple cloud accounts and lead to data leaks, account hijacking, or unauthorized access. To mitigate this risk, the NSA recommends minimizing the use of long-lived credentials by using ephemeral tokens like OpenID Connect (OIDC) and implementing strong access controls, up-to-date tools, log auditing, security scans, and proper secret management. Rob Godfrey, Senior Technical Architect at the Financial Times (FT), shares his team's experience with navigating the aftermath of a CircleCI breach, highlighting the importance of OIDC authentication, selecting tooling that supports OIDC, and implementing alternative processes to mitigate risks. The FT team identified over 14,000 environment variables to manage and rotated all their secrets after receiving an advisory from CircleCI, and since then has implemented long-term initiatives to fortify pipeline security, including OIDC integration, automated key rotation, internal infrastructure inventory, build tool selection, and training and awareness programs.