Honey, I forgot the database (shame the hackers didn't)


Over the weekend, software development and collaboration tools specialist Atlassian suffered a security breach to an internal system, potentially exposing customer passwords. The reason? It forgot about an old legacy database which had not been taken offline.

According to Atlassian spokesperson Mike Cannon-Brookes the company had migrated its customer database into a new one, where all customer password were encrypted, during July 2008. "However, the old database table was not taken offline or deleted" Cannon-Brookes says "and it is this database table that we believe could have been exposed during the breach". He agrees that this was "a big error" for which the company is extremely sorry, admitting "the legacy customer database, with passwords stored in plain text, was a liability. Even though it wasn't active, it should have been deleted. There's no logical explanation for why it wasn't, other than as we moved off one project, and on to the next one, we dropped the ball and screwed up"

Amichai Shulman, CTO with data security experts Imperva, says that examples of forgotten databases being left unprotected are happening more frequently than most would like to admit. "In this case" Shulman says "the database contained sensitive information, but once it wasn’t used as a production system it was forgotten. Unmanaged systems put sensitive data residing on them at a high risk - unmanaged systems are the top targeted systems".

If you have an Atlassian account from before July 2008 then you are advised to change your password and if it was also used for any other site change it there as well. Atlassian points out that no credit card or payment details were accessible during the breach.

About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...