Atlassian has confirmed a data breach involving employee data, briefly prompting a back-and-forth blame game between it and a third-party app provider.
A hacker group known as ‘SiegedSec’ claimed responsibility for an attack on Atlassian on Wednesday in a post via Telegram. The group claimed to have accessed employee information and details on office floor plans at sites in San Francisco and Sydney.
Employee data, including names, email addresses, phone numbers, and additional miscellaneous information was exposed in the breach, according to SiegedSec.
“SiegedSec is here to announce we have hacked the software company Atlassian,” the group said in a Telegram statement.
“We are leaking thousands of employee records, as well as a few building floorplans. These employee records contain email addresses, phone numbers, names, and lots more.”
Conflicting reports
In a statement yesterday, Atlassian confirmed a data breach had occurred but initially suggested that data from Envoy, which provides office visitor management tools, was compromised and published.
“On February 15 2023, we learned that data from Envoy, a third-party app that Atlassian uses to coordinate in-office resources, was compromised and published,” the company said at the time.
“Atlassian product and customer data is not accessible via the Envoy app and therefore not at risk. The safety of Atlassians is our priority, and we worked quickly to enhance physical security across our offices globally.”
However, in a statement given to IT Pro, Envoy said that a preliminary investigation revealed that the hack appeared to be the result of attackers stealing user credentials from an Atlassian employee, which then enabled them to extract data from the app.
“We found evidence in the logs of requests that confirms the hackers obtained valid user credentials from an Atlassian employee account and used that access to download the affected data from Envoy’s app,” the company said.
“We can confirm Envoy’s systems were not compromised or breach and no other customer’s data was accessed.”
Leverage automated APM to accelerate CI/CD and boost application performance
Constant change to meet fast-evolving application functionality
The company added that security teams at both Envoy and Atlassian were “collaborating to identify the source of the data compromise”.
This appears to have prompted a U-turn at Atlassian, which has since issued a statement clarifying the situation. The company now says it does not believe the incident was caused by a breach of Envoy’s systems.
“Our security team is carefully exploring all possible avenues to understand how the threat actor gained access and working closely with Envoy to do so,” Atlassian said.
“While we do not wish to speculate, for the sake of clarification, we are aligned with Envoy in the belief that our app data was not compromised due to a breach of their systems.”
Who are SiegedSec?
SiegedSec appears to be a relatively small cybercrime group which emerged on the scene in early 2022.
Insights from DarkOwl, a darknet data provider, suggest that the group emerged just days before the Russian invasion of Ukraine in February 2022. The group is allegedly led by a “renowned hacktivist” who sues the moniker, YourAnonWolf.
The group has since gone on to successfully target a number of organisations. In June 2022, the company claimed to have stolen sensitive internal documents from government servers in the US states of Kentucky and Arkansas.
The attack was thought to have been in reprisal for the US Supreme Court’s decision to reverse Roe v. Wade.
