

Atlassian Stored Passwords in Cleartext? - jason_tko
http://blog.webnet-it.co.jp/2010/04/13/atlassian-stored-passwords-in-cleartext/

======
veeti
The e-mail does mention that "this security issue only affects Atlassian
customers who created an Atlassian account and purchased one of our products
before June 2008. Since then, we have been using a more secure user management
system based on Atlassian's Crowd product".

------
acangiano
If confirmed, this will cause major damage to the company's reputation.
Atlassian is supposed to "get it". Apparently they don't. Very disappointing.

~~~
Nwallins
> _Be aware that this security issue only affects Atlassian customers who
> created an Atlassian account and purchased one of our products before June
> 2008. Since then, we have been using a more secure user management system
> based on Atlassian’s Crowd product._

~~~
acangiano
I read that, but it doesn't excuse them. Existing users should have been
migrated to the secure setup.

~~~
giu
The existing users have been migrated to the secure setup, but they didn't
delete the legacy customer database in which they stored all the passwords in
clear-text
([http://blogs.atlassian.com/news/2010/04/oh_man_what_a_day_an...](http://blogs.atlassian.com/news/2010/04/oh_man_what_a_day_an_update_on_our_security_breach.html))

------
orev
There's absolutely nothing in this email saying they stored passwords in
"clear text". They could have been stored hashed with an older algorithm.
Maybe not the best thing to do, but that's not the same as clear text. If
someone obtained the hashed passwords, they might be able to crack them
(salted or not).

They are doing the responsible thing by informing their users. It's posts with
titles like this that prevent more companies from disclosing security
breaches.

~~~
jason_tko
Actually, it turns out storing passwords in cleartext is exactly what they
did. I think it's worthwhile for everyone to be aware of the ramifications and
problems associated with this.

Their second response was far better, and addresses all of the concerns their
first response generated.

~~~
streety
I assume this is the second response:
[http://blogs.atlassian.com/news/2010/04/oh_man_what_a_day_an...](http://blogs.atlassian.com/news/2010/04/oh_man_what_a_day_an_update_on_our_security_breach.html)

Presumably if this was an unmaintained legacy system if you had changed your
password since July 2008 your account would be safe. There is no mention of
this though.

------
stingraycharles
Well, they could also have been using unsalted hashes, and they're afraid
someone might use a rainbow table to find out the original password. Still
bad, but not nearly as bad.

------
blueben
Too much conjecture, not enough fact.

------
giu
A post describing the security breach in more detail has been published on the
Atlassian blog:
[http://blogs.atlassian.com/news/2010/04/oh_man_what_a_day_an...](http://blogs.atlassian.com/news/2010/04/oh_man_what_a_day_an_update_on_our_security_breach.html)

Looks like they were storing the passwords of older accounts in clear-text
(see 'Lessons we've learned today').

------
lurkinggrue
They kept the password properly encrypted but they just keep a copy in a
backup_password field for emergencies.

