Atlassian worker's credentials stolen to leak data

How to prevent cyberattacks
(Image credit: Unsplash)

Sensitive data belonging to Atlassian was leaked earlier on Telegram after a hacker used employee credentials in an act of identity theft to access a system belonging to a third-party vendor.

As the media reported late last week, hackers from the SiegedSec threat actor group found the credentials belonging to an employee of the Australian-based collaboration software provider, Atlassian. They used those credentials to access Envoy, a third-party app that Atlassian uses for the coordination of in-office resources.

As it turns out, they found the credentials after they were erroneously published on a public repository.

Leaks on Telegram

After gathering the data found in Envoy, they leaked it on Telegram:

"We are leaking thousands of employee records as well as a few building floorplans. These employee records contain email addresses, phone numbers, names, and lots more~!"

Not long after the breach, cybersecurity researchers from Check Point Software analyzed the stolen dataset and confirmed it held two floor maps for the Sydney and San Francisco offices. What’s more, SiegedSec leaked a JSON file with data on Atlassian employees. Customer data was not affected by this incident.

Check Point then stated what was later confirmed by all parties: Atlassian’s systems weren’t directly breached, but the attackers rather accessed Envoy via stolen credentials. 

"On February 15, 2023 we learned that data from Envoy, a third-party app that Atlassian uses to coordinate in-office resources, was compromised and published. Atlassian product and customer data is not accessible via the Envoy app and therefore not at risk," Atlassian told the publication.

"The safety of Atlassians is our priority, and we worked quickly to enhance physical security across our offices globally. We are actively investigating this incident and will continue to provide updates to employees as we learn more."

Envoy also said its systems weren’t compromised.

"We’re investigating this right now and are not aware of any compromise to our systems. Our initial research shows that a hacker gained access to an Atlassian employee's valid credentials to pivot and access the Atlassian employee directory and office floor plans held within Envoy’s app," the company told BleepingComputer.

"Envoy, like Atlassian, takes the security and privacy of our customers’ data incredibly seriously and has stringent measures in place to protect it."

“We can confirm Envoy’s systems were not compromised or breached and no other customer’s data was accessed,” the company later reiterated.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.