Over the weekend, software development and collaboration tools specialist Atlassian suffered a security breach to an internal system, potentially exposing customer passwords. The reason? It forgot about an old legacy database which had not been taken offline.
According to Atlassian spokesperson Mike Cannon-Brookes the company had migrated its customer database into a new one, where all customer password were encrypted, during July 2008. "However, the old database table was not taken offline or deleted" Cannon-Brookes says "and it is this database table that we believe could have been exposed during the breach". He agrees that this was "a big error" for which the company is extremely sorry, admitting "the legacy customer database, with passwords stored in plain text, was a liability. Even though it wasn't active, it should have been deleted. There's no logical explanation for why it wasn't, other than as we moved off one project, and on to the next one, we dropped the ball and screwed up"
Amichai Shulman, CTO with data security experts Imperva, says that examples of forgotten databases being left unprotected are happening more frequently than most would like to admit. "In this case" Shulman says "the database contained sensitive information, but once it wasn't used as a production system it was forgotten. Unmanaged systems put sensitive data residing on them at a high risk - unmanaged systems are the top targeted systems".
If you have an Atlassian account from before July 2008 then you are advised to change your password and if it was also used for any other site change it there as well. Atlassian points out that no credit card or payment details were accessible during the breach.