Hackers disclose Atlassian data after the theft of an employee’s credentials

Atlassian discloses a data leak that was caused by the theft of employee credentials which was used to steal data from a third-party vendor.

A group of hackers called SiegedSec recently published on its Telegram channel a JSON file containing data belonging to thousands of Atlassian employees and floor plans for two of the company’s offices.

“The employee file posted online Wednesday contains more than 13,200 entries and a cursory review of the file appears to show multiple current employees’ data, including names, email addresses, work departments and other information.” reported CyberScoop. “The floor plans are for one floor of the company’s San Francisco office and another for its Sydney, Australia, office.”

The threat actors used the stolen employee credentials to steal data from a third-party vendor. The company pointed out that the incident did not impacted network and customer information.

“THATS RIGHT FOLKS, SiegedSec is here to announce we have hacked the software company Atlassian. This company worth $44billion has been pwned by the furry hackers uwu. Who knew gay furries could do such a thing! Holy fucking bingle!” reads a message posted by the group on its Telegram channel. “We are leaking thousands of employee records as well as a few building floorplans. These employee records contain email addresses, phone numbers, names, and lots more~! (Atlassian claims to have 8k employees as of June 2022, however we have conflictingly found 13k employee records) “The story is ours and it is done by hackers!” SiegedSec would like to formally say thank you to Atlassian for providing us with this data <3 Happy late-Valentines day everyone, love from SiegedSec~”

The company confirmed the data leak and revealed that the exposed data was from third-party vendor Envoy, which is a startup that provides workplace management services to the Australian software giant.

“On February 15, 2023, we learned that data from Envoy, a third-party app that Atlassian uses to coordinate in-office resources, was compromised and published,” Atlassian spokesperson Megan Sutton told TechCrunch. “Atlassian product and customer data is not accessible via the Envoy app and therefore not at risk.”

On the other side, Envoy declared that they have not suffered a security breach and argued that the attackers have likely stolen the credentials from an Atlassian employee and then used them to access data used by the Envoy app.

“a hacker gained access to an Atlassian employee’s valid credentials to pivot and access the Atlassian employee directory and office floor plans held within Envoy’s app.” Envoy spokesperson April Marks told TechCrunch.

After the Envoy’s denial, Atlassian added that its internal investigation has revealed that attackers had actually compromised its data from the Envoy app “using an Atlassian employee’s credentials that had been mistakenly posted in a public repository by the employee.”

SiegedSec used employee’s credentials that had been mistakenly posted in a public repository by the employee.

“As such, the hacking group had access to data visible via the employee account which included the published office floor plans and public Envoy profiles of other Atlassian employees and contractors,” Sutton explained. “The compromised employee’s account was promptly disabled eliminating any further threat to Atlassian’s Envoy data. Atlassian product and customer data is not accessible via the Envoy app and therefore not at risk.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)