Atlassian plugs security hole


Australian collaborative software developer Atlassian today warned customers that it had in the past several days plugged a security hole that could have compromised customer passwords.

“Around 9PM US PST Sunday evening, Atlassian detected a security breach on one of our internal systems. The breach potentially exposed passwords for customers who purchased Atlassian products before July 2008,” said the company’s chief executive, Mike Cannon-Brookes (pictured), writing on the company’s corporate blog.

“During July 2008, we migrated our customer database into Atlassian Crowd, our identity management product, and all customer passwords were encrypted. However, the old database table was not taken offline or deleted, and it is this database table that we believe could have been exposed during the breach.”

Atlassian advised customers to change their passwords if they had an account with the software developer before July 2008, although software as a service or hosted customers, or those running Atlassian products behind their firewall were not affected. No credit card or payment details were exposed.

Cannon-Brookes apologised to customers, saying the old customer database should have been deleted as it had passwords stored in plain text. “There’s no logical explanation for why it wasn’t, other than as we moved off one project, and on to the next one, we dropped the ball and screwed up,” he wrote.

He also noted that as Atlassian had emailed customers about the problem, hundreds of thousands of those affected changed their passwords simultaneously — causing Atlassian’s web servers to crumple. In hindsight, he said, Atlassian should have reset customers’ passwords itself.

“We apologise for the extra consternation this caused — our web servers are back purring along as normal,” he said. Atlassian is researching the security hole and will provide further information once it knows more.

Atlassian is an Australian software company built from the ground up by Cannon-Brookes and co-founder Scott Farquhar over the past eight years. Providing collaborative software — for example, its JIRA bug and issue tracker and its Confluence enterprise wiki software — it has grown to over 220 employees across offices in Sydney, San Francisco and Amsterdam.

Image credit: Atlassian