Code Room
On-callHardoc-g138
Subject Secret rotationLevel Senior–Staff~45 minCommon in Security interviewsIndustries Technology, Software development

Question

A departing employee's laptop is found to have had a clear-text copy of a shared database master password and a single Stripe restricted API key that 40+ microservices all use (it was hard-coded in a base config). The employee left under contested circumstances 9 days ago; access logs are inconclusive. You must rotate both secrets, but the Stripe key is used by services across 6 teams with no central secret store, and the DB password is referenced in ~30 deploy manifests. How do you triage the blast radius and roll the rotation without a self-inflicted outage?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.