hngopher.com

       [HN Gopher] Data from Atlassian dumped online after apparent hack
       ___________________________________________________________________
        
       Data from Atlassian dumped online after apparent hack
        
       Author : gjvc
       Score  : 38 points
       Date   : 2023-03-19 21:10 UTC (1 hours ago)
        
 (HTM) web link (cyberscoop.com)
 (TXT) w3m dump (cyberscoop.com)
        
       | RomanPushkin wrote:
       | Atlassian alternatives: https://bye-bye-server.com/
        
       | gnabgib wrote:
       | This is a month old story now (Feb 15). Not saying it didn't
       | happen, or isn't relevant, but this isn't a new/another Atlassian
       | leak. It was published as a hack and then later (17th)[1] said to
       | be the result of an employee "accidentally publishing credentials
       | in a public repo". I wonder if we'll see proof/analysis of that
       | claim.. sounds a little convenient. And much easier to PR defend
       | than "hacking crew got a valid 2FA backed session token from an
       | employee's system" (via a Plex hack.. a la LastPass)
       | 
       | [1]: https://techcrunch.com/2023/02/17/atlassian-and-envoy-
       | briefl...
        
       | Zetice wrote:
       | Their permissions system is a complete mess on their actual
       | platform; if you create a support request it generates a Jira
       | ticket, but depending on how access is set up, you get access to
       | the entire support "project" which means you can see other
       | customer's support tickets.
       | 
       | Not at all surprised this happened.
        
       | hn_throwaway_99 wrote:
       | > multiple current employees' data, including names, email
       | addresses, work departments and other information.
       | 
       | What was the hack, scraping LinkedIn?
       | 
       | In all seriousness, I feel like we need some different language
       | or a color-coded system (ugh, kinda hate that after I just typed
       | this) for the severity of information in hacks. All of this
       | information listed is semi-public anyway. Birthdates/SSNs/private
       | info I can understand getting up in arms about. But names and
       | email addresses? Wait until younger folks hear about this giant
       | book phone companies used to deliver that had nearly everyone's
       | name and phone number in it!
        
         | layer8 wrote:
         | > What was the hack, scraping LinkedIn? I feel like we need
         | some different language or a color-coded system for the
         | severity of information in hacks.
         | 
         | No, we just need to read the article.
        
         | tyingq wrote:
         | They had access to a visitor management system, which may turn
         | out to be fairly interesting. Not the crown jewels, but who is
         | visiting, and how often can be sensitive.
        
       | VoidWhisperer wrote:
       | The title of the post seems a little bit disingenuous - Atlassian
       | themselves wasn't hacked, nor was the vendor that the data ended
       | up coming from for that matter.. It was a case of an employee
       | accidentally posting credentials for Atlassian's Envoy setup in a
       | public repository, which they apparently use for in-office
       | resources, hence why it has basic employee information and floor
       | plans.
        
       ___________________________________________________________________
       (page generated 2023-03-19 23:00 UTC)