Honey, I forgot the database (shame the hackers didn't)


Over the weekend, software development and collaboration tools specialist Atlassian suffered a security breach to an internal system, potentially exposing customer passwords. The reason? It forgot about an old legacy database which had not been taken offline.

According to Atlassian spokesperson Mike Cannon-Brookes the company had migrated its customer database into a new one, where all customer password were encrypted, during July 2008. "However, the old database table was not taken offline or deleted" Cannon-Brookes says "and it is this database table that we believe could have been exposed during the breach". He agrees that this was "a big error" for which the company is extremely sorry, admitting "the legacy customer database, with passwords stored in plain text, was a liability. Even though it wasn't active, it should have been deleted. There's no logical explanation for why it wasn't, other than as we moved off one project, and on to the next one, we dropped the ball and screwed up"

Amichai Shulman, CTO with data security experts Imperva, says that examples of forgotten databases being left unprotected are happening more frequently than most would like to admit. "In this case" Shulman says "the database contained sensitive information, but once it wasn't used as a production system it was forgotten. Unmanaged systems put sensitive data residing on them at a high risk - unmanaged systems are the top targeted systems".

If you have an Atlassian account from before July 2008 then you are advised to change your password and if it was also used for any other site change it there as well. Atlassian points out that no credit card or payment details were accessible during the breach.

Member Avatar
Davey Winder

I've been a freelance word punk for more than two decades and for the last few years an Editorial Fellow at Dennis Publishing. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011. As well as working for DaniWeb I have been a Contributing Editor with PC Pro (the best selling IT magazine in the UK) for twenty years.

Isn't it about time forums rewarded their contributors?

Earn rewards points for helping others. Gain kudos. Cash out. Get better answers yourself.

It's as simple as contributing editorial or replying to discussions labeled or OP Kudos

This is an OP Kudos discussion and contributors may be rewarded
Start New Discussion
View similar articles that have also been tagged: