The Atlassian Security team is dedicated to protecting our customers’ data. We think a lot about the impact of potential cyber intrusions and know that the way we shield customers against attacks impacts their data, privacy, content, source code, and reputation with their customers. We are constantly on high alert; modelling, monitoring, and responding to security threats of all types. And we’ve invested in building a Security Intelligence capability that helps us do just that.
Managing passwords is a key part of using any service and key to protecting the information you have entrusted to that provider. With so many services we use in our daily lives that require passwords, many of us are guilty of occasionally re-using a single password on multiple websites. And most of the time, that’s okay. But sometimes it becomes a security issue: criminal/hacking groups often steal passwords from one service (for example, a social media site) and attempt to use them on another, to try and access your information.
The chances of any individual email-password combination being valid from service to service is quite small. However, when stolen data includes millions of records, and if a targeted service has millions of users, there will always be some overlap. You may have read about popular cloud services performing sweeping password resets recently, because of password re-use from other hacked services. We also reset accounts when risks to information are identified, but in addition to detecting attacks and preventing damage, we are striving to do even more.
What we’re doing
We’re now actively looking for leaked password databases that are made public, and testing the passwords against against Atlassian Cloud services. Soon, we’ll be testing against Statuspagetoo. When we find email and password combinations that work, we reset the passwords and let you, the user, know. If you receive a notice like this, don’t be alarmed. These resets are preventative, not an indication of unauthorised access. We believe it’s better to sort this out now, than to wait for trouble and tell customers afterwards.
While there is no silver bullet against security threats, we are confident in this proactive approach and constantly integrating security into our products, like the newly announced multi-factor authentication in Bitbucket.
What you can do
We suggest you avoid re-using passwords between different websites – instead, use a password manager like LastPass or 1Password, so you don’t have to remember all those special characters.
Check out the Atlassian Trust Center for more information on our security program. We’re going all in to let you know how we approach security, so you can feel comfortable and make informed decisions about the security of your information.