IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Apache server suffers hack attack

An attack on Apache’s project server has resulted in passwords being stolen from all users.

Hack attack

Hackers have attacked the Apache Software Foundation's (ASF) project server and stolen the passwords of all its users.

The attack began on 5 April when hackers broke into Apache's Atlassian JIRA software used to track all its projects and any bugs that emerge.

They sent server admins a TinyURL link claiming they were having problems whilst browsing projects. When admins clicked on the link, it compromised their sessions and allowed the hackers to get hold of administrator rights.

By 9 April, the hackers had planted a password stealing programme and taken full control of JIRA, as well as Apache's Confluence and Bugzilla programmes.

"If you are a user of the Apache hosted JIRA, Bugzilla, or Confluence, a hashed copy of your password has been compromised," said a blog post from the Apache Infrastructure team.

It has warned users of any of these programs to change their passwords, especially if they logged in between 6-9 April.

It has also left those who had Atlassian accounts before July 2008 in danger as an old unencrypted database containing customer passwords was left online and could have been compromised.

"We made a big error," admitted Mike Cannon-Brookes, chief executive of Atlassian, in a blog post. "For this we are, of course, extremely sorry."

He added: "The legacy customer database, with passwords stored in plain text, was a liability. Even though it wasn't active, it should have been deleted. There's no logical explanation for why it wasn't, other than as we moved off one project, and on to the next one, we dropped the ball and screwed up."

Apache is running JIRA on a proxy configuration for the meantime and has made a number of changes to make the server safer.

"We hope our disclosure has been as open as possible and true to the ASF spirit," concluded the Apache blog. "Hopefully others can learn from our mistakes."

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to incorporate password protection into your security strategy
Sponsored

How to incorporate password protection into your security strategy

3 Aug 2022
Should you take your password manager off the internet?
Sponsored

Should you take your password manager off the internet?

28 Jul 2022
The psychology of secure passwords
Sponsored

The psychology of secure passwords

14 Jul 2022

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Microsoft successfully tests emission-free hydrogen fuel cell system for data centres
data centres

Microsoft successfully tests emission-free hydrogen fuel cell system for data centres

29 Jul 2022