Title made it confusing: how did bitbucket even have users' SSH keys?
However, it seems to be about their host keys. The article seems down for me, but https://bitbucket.org/blog/ has a title "ACTION REQUIRED: Update your Bitbucket Cloud SSH Host Keys".
That means that you need to drop their entries from your known_hosts file or you risk a MITM attack on an insecure network.
Considering we usually blindly accept new SSH hosts without checking for fingerprints (eg on new or reinstalled machines), it's probably unlikely this will be exploited in the wild since it already could have been.
Another point worth bringing up: it'd be nice if we set up either a PGP-like trust ring for host SSH signatures, or relied on a set of CAs like we do for TLS.
However, it seems to be about their host keys. The article seems down for me, but https://bitbucket.org/blog/ has a title "ACTION REQUIRED: Update your Bitbucket Cloud SSH Host Keys".
That means that you need to drop their entries from your known_hosts file or you risk a MITM attack on an insecure network.
Considering we usually blindly accept new SSH hosts without checking for fingerprints (eg on new or reinstalled machines), it's probably unlikely this will be exploited in the wild since it already could have been.