Australian collaborative software developer Atlassian today warned customers that it had in the past several days plugged a security hole that could have compromised customer passwords.
Atlassian chief, Mike Cannon-Brookes
"If you have an Atlassian account from before July 2008, you should definitely change your password with us," said the company's chief executive Mike Cannon-Brookes, writing on the company's corporate blog.
"Around 9pm US PST Sunday evening, Atlassian detected a security breach on one of our internal systems. The breach potentially exposed passwords for customers who purchased Atlassian products before July 2008," he explained.
"During July 2008, we migrated our customer database into Atlassian Crowd, our identity management product, and all customer passwords were encrypted. However, the old database table was not taken offline or deleted, and it is this database table that we believe could have been exposed during the breach."
Atlassian advised customers that its software as a service or hosted customers, or those running Atlassian products behind their firewall were not affected. No credit card or payment details were exposed, the company claimed.
Cannon-Brookes apologised to customers, saying the old customer database should have been deleted as it had passwords stored in plain text. "There's no logical explanation for why it wasn't, other than as we moved off one project and on to the next one, we dropped the ball and screwed up," he wrote.
He also noted that as Atlassian had emailed customers about the problem, hundreds of thousands of those affected changed their passwords simultaneously, which caused Atlassian's web servers to crumple. In hindsight, he said, Atlassian should have reset customers' passwords itself.
"We apologise for the extra consternation this caused — our web servers are back purring along as normal," he said. Atlassian is researching the security hole and will provide further information once it knows more.
Atlassian is an Australian software company built from the ground up by Cannon-Brookes and co-founder Scott Farquhar over the past eight years. Providing collaborative software — for example, its JIRA bug and issue tracker and its Confluence enterprise wiki software — it has grown to over 220 employees across offices in Sydney, San Francisco and Amsterdam.