Atlassian Claims Data Breach Linked to Third-Party Workplace Platform Envoy

Security – 4

Last week, Atlassian confirmed a security breach that exposed the sensitive data of thousands of thousands of Atlassian employees. The company claimed that hackers couldn’t access Atlassian’s product and customer information.

According to a new report by Cyberscoop, a threat actor named SiegedSec announced on Telegram that it hacked the enterprise software company Atlassian. The hacking group claimed to access sensitive data such as names, email addresses, contact numbers, and other information of around 13,200 Atlassian employees. The leaked data also included floor plans of Atlassian’s offices in Sydney and San Francisco.

Atlassian is still investigating the security incident, but it claimed that the stolen data is associated with the third-party vendor Envoy. Basically, the company uses Envoy to organize its office spaces. Atlassian emphasized that the customer and product data is secure and it’s not accessible via the Envoy app.

“On February 15, 2023 we learned that data from Envoy, a third-party app that Atlassian uses to coordinate in-office resources, was compromised and published. Atlassian product and customer data is not accessible via the Envoy app and therefore not at risk. The safety of Atlassians is our priority, and we worked quickly to enhance physical security across our offices globally. We are actively investigating this incident and will continue to provide updates to employees as we learn more,” Atlassian explained.

According to Envoy founder Larry Gadea, there is no evidence that the hackers have breached its internal systems. However, an initial investigation revealed that the hackers had stolen employee credentials in order to access and download the Atlassian employee directory and floor plans from the Envoy app. The company added that it’s collaborating with Atlassian to find the source of this security incident.

Atlassian employee’s credentials posted in a public repository

Interestingly, Atlassian issued a follow-up statement to provide further clarification. The company noted that the threat actors had abused employee credentials that were mistakenly shared on a public repository. “The compromised employee’s account was promptly disabled early in the investigation which was proven effective in eliminating any further threat to Atlassian’s Envoy data,” Atlassian added.

This is certainly not the first time that Atlassian has had to deal with a security breach. Last year, the company discovered a critical remote code execution flaw that could allow attackers to gain access to Atlassian Confluence Server and Data Center. Atlassian also disclosed that its Questions for Confluence app contains hardcoded passwords that could provide access to any vulnerable instance.