Iconoclast
Recently Visited
Recently Visited
Home  Joe  

Atlassian Considered Harmful

[VERIFIED] Last updated by Joe Schaefer on Thu, 18 Jun 2026    source

 

Tarred and Featured

There are two viewpoints on stuff like this page of the last 10 years of disclosed vulnerabilities in Atlassian software:

  1. that it demonstrates responsible open disclosure and is good marketing material for sales,

  2. that is a lengthy record of abject architectural failure at scale.

I am in the latter camp.1

Footnotes

1. In the last sentence of our team’s famous 2010 postmortem

https://infra.apache.org/blog/apache_org_04_09_2010 2

we state (paraphrased)

We hope other people will learn from our mistakes.

In hindsight, clearly our hope was misplaced:

https://cybersecuritynews.com/atlassians-model-context-protocol/

However, Orion‘s progenitor, the Apache CMS, was born six months after that postmortem was published. In that case, those lessons informed the design from the pain of lived experience.

2. The blog entry to Atlassian’s inept postmortem about this incident has been redacted from the internet. Basically they just failed to maintain the 301 after a few years, so here is where it wound up:

https://www.atlassian.com/blog/news/2010/04/oh_man_what_a_day_an_update_on_our_security_breach

So much for permalink priorities for megacorporations that view security incidents as PR advancement opportunities.

For the record, SHA-* is a hashing algorithm, not an encryption algorithm, much less a cryptographically secure hashing algorithm (like say bcrypt or crypt-md5). You do not want to be told by your SaaS vendor that your passwords are encrypted because a hacker may gain the decryption key and read them in plain text.

You certainly don’t want them to reassure you that they are safe when the hacker has the SHA-* hashes of them, because SHA-* is designed to be performant enough to subject your passwords to a computationally tractable brute force search/guessing algorithm against the hash itself. You want your vendor to tell you your passwords are hashed via bcrypt with at least 5 rounds in its configuration - designed to defeat brute force guessing, and updatable to the hardware specs of the times.

And even so, they should recommend you change them, because it is the responsible thing to do.

It is absurd to read Mike Cannon-Brooke’s drivel sent to customers about the safety of their SHA-* hashes of customer passwords stolen by the hackers if you can bother to understand the bullet points of the Apache postmortem on Password Security.

Moreover, every day their Incident Response Team slept over the weekend, another F/OSS org got hacked by that SliceHost box. We notified their team on Friday of our findings after business hours in Sydney, and instead of telling their customers they read security email off-hours and therefore did not get hacked on Sunday PST time, they fibbed and said they discovered the hack themselves — caught completely unawares.

RedHat, CodeHaus and JBoss were three of the incidental victims hacked while the Atlassian IR team slept, but there were several others.