Well, well, hours after telling you not to change passwords, now I am telling you to change it… but this time with good reason. Minutes ago I’ve received a email from Atlassian:
We are sending you this message because we experienced a security breach and suspect that your Atlassian customer account password details (only) may have been compromised.
It is very unlikely that an unauthorised user has had the opportunity to log in to your account so far and if they have, there is very little in the way of personal information which could have been accessed. However, to minimise any further risk to your Atlassian account being compromised, we strongly recommend that you change your Atlassian account password as soon as possible using the procedure below.
Be aware that this security issue only affects Atlassian customers who created an Atlassian account and purchased one of our products before June 2008. Since then, we have been using a more secure user management system based on Atlassian’s Crowd product. When you change your Atlassian account password using the procedure below, your Atlassian customer account details will be stored in our updated Crowd user management system, which will further minimise the chance of a security breach occurring in future.
Procedure for changing your Atlassian customer account password:
1) Login to http://my.atlassian.com
2) Click "My Profile" (3rd tab)
3) Click "Change Password" (in Contact Information section)
4) Update your password to a new value
Atlassian apologises for the inconvenience caused. However, this is an extremely rare event for us and since we take security issues seriously, we are taking every precaution possible to minimise the effects of this security breach.
Director of IT
Not fun .. and I expect to we’ll hear more from Atlassian soon. For now they are obviously figthing whatever it is – status update from Twitter:
Atlassian had a security breach. Apologies for the confusion. Our site is experiencing heavy loads. We are working on getting back up ASAP.
Personally I am safe – I don’t have active accounts, just decided to help push Atlassian’s charity towards the finish line by purchasing 10 licences, but if you do, time to change the passwords…
Update: co-Founder and co-CEO Mike Cannon-Brookes posted the details on the Atlassian blog.
Apparently an old, inactive database table that had already been migrated in July 2008 to the secure Crowd identity management system was not deleted mistakenly. That indirectly answers the speculation about Atlassian passwords being stored in plain text format. They are not – anymore, but they used to be, prior to July 2008.
Mike goes on to detail what was / was not compromised: read for changes, they are resetting potentially compromised account passwords now.
He does not BS, owns up the mistake:
We made a big error. For this we are, of course, extremely sorry. The legacy customer database, with passwords stored in plain text, was a liability. Even though it wasn’t active, it should have been deleted. There’s no logical explanation for why it wasn’t, other than as we moved off one project, and on to the next one, we dropped the ball and screwed up.
They are still investigating what happened and Mike promises full disclosure, coming this week.
It’s been a bad day for Atlassian and some of their customers – but I’m glad they live up to their "Open Company, No Bullshit" slogan, and respond as expected.