Apache server suffers hack attack
An attack on Apache’s project server has resulted in passwords being stolen from all users.


Hackers have attacked the Apache Software Foundation's (ASF) project server and stolen the passwords of all its users.
The attack began on 5 April when hackers broke into Apache's Atlassian JIRA software used to track all its projects and any bugs that emerge.
They sent server admins a TinyURL link claiming they were having problems whilst browsing projects. When admins clicked on the link, it compromised their sessions and allowed the hackers to get hold of administrator rights.
By 9 April, the hackers had planted a password stealing programme and taken full control of JIRA, as well as Apache's Confluence and Bugzilla programmes.
"If you are a user of the Apache hosted JIRA, Bugzilla, or Confluence, a hashed copy of your password has been compromised," said a blog post from the Apache Infrastructure team.
It has warned users of any of these programs to change their passwords, especially if they logged in between 6-9 April.
It has also left those who had Atlassian accounts before July 2008 in danger as an old unencrypted database containing customer passwords was left online and could have been compromised.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
"We made a big error," admitted Mike Cannon-Brookes, chief executive of Atlassian, in a blog post. "For this we are, of course, extremely sorry."
He added: "The legacy customer database, with passwords stored in plain text, was a liability. Even though it wasn't active, it should have been deleted. There's no logical explanation for why it wasn't, other than as we moved off one project, and on to the next one, we dropped the ball and screwed up."
Apache is running JIRA on a proxy configuration for the meantime and has made a number of changes to make the server safer.
"We hope our disclosure has been as open as possible and true to the ASF spirit," concluded the Apache blog. "Hopefully others can learn from our mistakes."
Jennifer Scott is a former freelance journalist and currently political reporter for Sky News. She has a varied writing history, having started her career at Dennis Publishing, working in various roles across its business technology titles, including ITPro. Jennifer has specialised in a number of areas over the years and has produced a wealth of content for ITPro, focusing largely on data storage, networking, cloud computing, and telecommunications.
Most recently Jennifer has turned her skills to the political sphere and broadcast journalism, where she has worked for the BBC as a political reporter, before moving to Sky News.
-
Researchers tested over 100 leading AI models on coding tasks — nearly half produced glaring security flaws
News AI models large and small were found to introduce cross-site scripting errors and seriously struggle with secure Java generation
-
The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employees
News The group is using new ransomware variants and new social engineering techniques - including sneaking into corporate teleconferences
-
The NCSC wants you to start using password managers and passkeys – here’s how to choose the best options
News New guidance from the NCSC recommends using passkeys and password managers – but how can you choose the best option? ITPro has you covered.
-
I love magic links – why aren’t more services using them?
Opinion Using magic links instead of passwords is safe and easy but they’re still infuriatingly underused by businesses
-
Password management startup Passbolt secures $8 million to shake up credential security
News Password management startup Passbolt has secured $8 million in funding as part of a Series A investment round.
-
LastPass breach comes back to haunt users as hackers steal $12 million in cryptocurrency
News The hackers behind the LastPass breach are on a rampage two years after their initial attack
-
GitHub launches passkeys beta for passwordless authentication
News Users can now opt-in to using passkeys, replacing their password and 2FA method
-
Microsoft SQL password-guessing attacks rising as hackers pivot from OneNote vectors
News Database admins are advised to enforce better controls as attacks ending in ransomware are being observed
-
No, Microsoft SharePoint isn’t cracking users’ passwords
News The discovery sparked concerns over potentially invasive antivirus scanning practices by Microsoft
-
Microsoft Authenticator mandates number matching to counter MFA fatigue attacks
News The added layer of complexity aims to keep social engineering at bay