Over the weekend, software development and collaboration tools specialist Atlassian suffered a security breach to an internal system, potentially exposing customer passwords. The reason? It forgot about an old legacy database which had not been taken offline.

According to Atlassian spokesperson Mike Cannon-Brookes the company had migrated its customer database into a new one, where all customer password were encrypted, during July 2008. "However, the old database table was not taken offline or deleted" Cannon-Brookes says "and it is this database table that we believe could have been exposed during the breach". He agrees that this was "a big error" for which the company is extremely sorry, admitting "the legacy customer database, with passwords stored in plain text, was a liability. Even though it wasn't active, it should have been deleted. There's no logical explanation for why it wasn't, other than as we moved off one project, and on to the next one, we dropped the ball and screwed up"

Amichai Shulman, CTO with data security experts Imperva, says that examples of forgotten databases being left unprotected are happening more frequently than most would like to admit. "In this case" Shulman says "the database contained sensitive information, but once it wasn’t used as a production system it was forgotten. Unmanaged systems put sensitive data residing on them at a high risk - unmanaged systems are the top targeted systems".

If you have an Atlassian account from before July 2008 then you are advised to change your password and if it was also used for any other site change it there as well. Atlassian points out that no credit card or payment details were accessible during the breach.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.