Atlassian security breach and customer support in real-time

Monday, 12 April 2010 at 19:56 UTC 3 comments

About an hour ago customers of Atlassian (the company behind great tools like Jira and Confluence) got an email about a security breach and to change their password.

Be aware that this security issue only affects Atlassian customers who created an Atlassian account and purchased one of our products before June 2008. Since then, we have been using a more secure user management system based on Atlassian’s Crowd product. When you change your Atlassian account password using the procedure below, your Atlassian customer account details will be stored in our updated Crowd user management system, which will further minimise the chance of a security breach occurring in future.

[1] Source: Jason Winder Webnet IT Blog: Atlassian Stored Passwords in Cleartext?

Just after this email it seems that most people were not able to retrieve Atlassian’s service to react.

Now after one hour there was no official statement of Atlassian!

Guys @Atlassian ! Please use Twitter or Uservoice to react in our real-time live and give us some background information!

Twitter User Feedback

Update 1:

[2] @atlassian on Twitter at 7 00 PM GMT replied:

Atlassian had a security breach. Apologies for the confusion. Our site is experiencing heavy loads. We are working on getting back up ASAP.

[3] Zoli Erdos at Cloudave: Atlassian Security Breach and Warning

Update 2:
[4] Atlassian’s Mike Cannon-Brookes initial customer feedback today morning

The legacy customer database, with passwords stored in plain text, was a liability. Even though it wasn’t active, it should have been deleted. There’s no logical explanation for why it wasn’t, other than as we moved off one project, and on to the next one, we dropped the ball and screwed up.
Disclosure: in terms of the security breach itself, we will disclose the various attack vectors and what happened once we have a full picture. Expect this in the coming week.

Looking forward to it, so everybody can learn from such IT security mistakes.


Entry filed under: web. Tags: , , , .

using xpidl under 64-bit Snow Leopard Jira at was hacked

3 Comments Add your own

  • 1. John Sloat  |  Monday, 12 April 2010 at 20:10 UTC

    My name is John Sloat, I work at Atlassian.

    We apologise for the delay in releasing a public response to the concern over the legitimacy of the email that has been sent out. We have now responded on Twitter:

    The email that was sent out to customers WAS sent from Atlassian. We are currently experiencing a high volume of traffic on our website as there are a large amount of people attempting to reset their passwords.

    We sincerely apologise for both the compromise in security and our delay in responding to the concerns raised on Twitter. We will release more information on Twitter via @atlassian once we have an update on the situation.

  • 2. moojix  |  Monday, 12 April 2010 at 20:44 UTC

    John, thanks for this update.

    Looking forward to read more about which data was compromised.

  • 3. js  |  Tuesday, 13 April 2010 at 01:47 UTC

    Hi moojix,

    We’ve posted more information about the security breach on our blog which will hopefully answer most of your questions and concerns. We apologize again for the breach as well as the email that followed which was unclear at best.

    – Jon Silvers, Atlassian


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


%d bloggers like this: