Update: The story and title updated to reflect new statements from Atlassian.
The initial data leak was reported by Cyberscoop, who learned that a hacking group called SiegedSec had claimed responsibility for stealing data from Atlassian and sharing it on Telegram. The hackers disclosed that they had accessed thousands of employee records, including names, email addresses, and phone numbers, as well as a few building floor plans.
Upon analyzing the leaked data, Check Point Software revealed that the stolen data contained two-floor maps for Atlassian's Sydney and San Francisco offices and a JSON file containing employee information.
Employee Data Exposed
The employee file posted online contained more than 13,200 entries, which include current employees' data, such as names, email addresses, work departments, and other relevant information. Atlassian's representative emphasized that Atlassian's product and customer data are not accessible via the Envoy app, and, therefore, not at risk.
The hackers also published floor plans belonging to one floor of the company's San Francisco office and another for its Sydney, Australia, office. However, the company's representative asserted that Atlassian worked quickly to enhance physical security across its offices globally to ensure the safety of its employees.
Atlassian confirmed that the data breach resulted from a hack of its third-party vendor, Envoy, which the company uses for in-office functions. Atlassian confirmed in the later statement that, a hacker gained access to an Atlassian employee's valid credentials to pivot and access the Atlassian employee directory and office floor plans held within Envoy’s app. The software company emphasized that its product and customer data remain secure as they are not accessible through the Envoy app.
"Atlassian's priority is the safety of its employees, and we worked quickly to enhance physical security across our offices globally," said the company in a statement to BleepingComputer. "We are actively investigating this incident and will continue to provide updates to employees as we learn more."
Atlassian is actively investigating the incident and will continue to provide updates to its employees as it learns more. The incident highlights the need for companies to secure their systems and implement better security protocols to ensure the safety and privacy of their employees' data.
Statement from Envoy
Meanwhile, Envoy, the third-party vendor in question, stated that "it is investigating the incident and is not aware of any compromise to its systems. The company's initial research shows that a hacker gained access to an Atlassian employee's valid credentials to pivot and access the Atlassian employee directory and office floor plans held within Envoy’s app." said a spokesperson for Envoy to Cyber Kendra.
"Envoy, like Atlassian, takes the security and privacy of our customers’ data incredibly seriously and has stringent measures in place to protect it," an Envoy spokesperson added.
A new statement came up from the Envoy side as well from Atlassian, which is-
Envoy statement-
"Both Envoy and Atlassian security teams have been collaborating to identify the source of the data compromise. We found evidence in the logs of requests that confirms the hackers obtained valid user credentials from an Atlassian employee account and used that access to download the affected data from Envoy’s app. We can confirm Envoy’s systems were not compromised or breached and no other customer’s data was accessed."
Atlassian statement: "Our security team is carefully exploring all possible avenues to understand how the threat actor gained access and working closely with Envoy to do so. While we do not wish to speculate, for the sake of clarification, we are aligned with Envoy in the belief that our app data was not compromised due to a breach of their systems."
Update: 17.02.23 11:45PM (IST)
Statement from Atlassian
Atlassian spokesperson reaches Cyber Kendra with the following statement :
"We learned the hacking group compromised Atlassian data from the Envoy app using an Atlassian employee’s credentials that had been mistakenly posted in a public repository by the employee. As such, the hacking group had access to data visible via the employee account which included the published office floor plans and public Envoy profiles of other Atlassian employees and contractors."
"The compromised employee’s account was promptly disabled early in the investigation which was proven effective in eliminating any further threat to Atlassian’s Envoy data. Atlassian product and customer data is not accessible via the Envoy app and therefore not at risk." Atlassian spokesperson told Cyber Kendra