Australian software program big Atlassian and Envoy, a startup that gives office administration providers, have been at loggerheads on Thursday over a knowledge breach that uncovered the info of 1000’s of Atlassian staff.
As first reported by Cyberscoop, a hacking group referred to as SiegedSec leaked knowledge on Telegram this week that it claimed to have stolen from Atlassian. This knowledge contains the names, e-mail addresses, work departments, and cellphone numbers of roughly 13,200 Atlassian staff, together with flooring plans of Atlassian workplaces positioned in San Francisco and Sydney, Australia.
“SiegedSec is right here to announce that we now have hacked the software program firm Atlassian,” SiegedSec mentioned in a Telegram message seen by TechCrunch. “This firm price $44 billion has been pwned by the furry hackers uwu.” SiegedSec made headlines final yr after it leaked eight gigabytes of information from the state governments of Kentucky and Arkansas, in protest on the states’ efforts to enact abortion bans following the Supreme Court docket’s determination to overturn Roe v. Wade.
Atlassian was fast to level the finger of blame for the breach at Envoy, which the Sydney-headquartered firm makes use of to arrange its workplace areas. “On February 15, 2023, we discovered that knowledge from Envoy, a third-party app that Atlassian makes use of to coordinate in-office sources, was compromised and revealed,” Atlassian spokesperson Megan Sutton mentioned in a press release shared with TechCrunch. “Atlassian product and buyer knowledge is just not accessible through the Envoy app and subsequently not in danger.”
Envoy, nevertheless, was simply as fast to rebuff Atlassian’s claims. Envoy spokesperson April Marks informed TechCrunch that the startup is “not conscious of any compromise to our methods,” including that preliminary analysis had proven that “a hacker gained entry to an Atlassian worker’s legitimate credentials to pivot and entry the Atlassian worker listing and workplace flooring plans held inside Envoy’s app.” Envoy declined to supply proof of its claims or to reply particular questions.
Quickly after the startup’s denial, Atlassian modified its stance to align extra carefully with Envoy. Atlassian’s Sutton informed TechCrunch that the corporate’s inside investigation since revealed that attackers had truly compromised Atlassian knowledge from the Envoy app “utilizing an Atlassian worker’s credentials that had been mistakenly posted in a public repository by the worker.”
“As such, the hacking group had entry to knowledge seen through the worker account which included the revealed workplace flooring plans and public Envoy profiles of different Atlassian staff and contractors,” Sutton added. “The compromised worker’s account was promptly disabled eliminating any additional menace to Atlassian’s Envoy knowledge. Atlassian product and buyer knowledge is just not accessible through the Envoy app and subsequently not in danger.”
Whereas it seems that Envoy was not at fault for the Atlassian knowledge breach, the office administration startup — which counts quite a few big-name clients, together with Hulu, Pinterest, Slack, and Stripe — isn’t any stranger to safety incidents. In 2019, safety researchers at IBM uncovered two flaws in Envoy’s customer administration system that would have uncovered buyer knowledge.
