Australian software program large Atlassian and Envoy, a startup that gives office administration companies, had been at loggerheads on Thursday over a knowledge breach that uncovered the info of 1000’s of Atlassian staff.
As first reported by Cyberscoop, a hacking group generally known as SiegedSec leaked information on Telegram this week that it claimed to have stolen from Atlassian. This information consists of the names, electronic mail addresses, work departments, and cellphone numbers of roughly 13,200 Atlassian staff, together with flooring plans of Atlassian places of work positioned in San Francisco and Sydney, Australia.
“SiegedSec is right here to announce that we’ve hacked the software program firm Atlassian,” SiegedSec stated in a Telegram message seen by TechCrunch. “This firm price $44 billion has been pwned by the furry hackers uwu.” SiegedSec made headlines final yr after it leaked eight gigabytes of knowledge from the state governments of Kentucky and Arkansas, in protest on the states’ efforts to enact abortion bans following the Supreme Court docket’s determination to overturn Roe v. Wade.
Atlassian was fast to level the finger of blame for the breach at Envoy, which the Sydney-headquartered firm makes use of to arrange its workplace areas. “On February 15, 2023, we discovered that information from Envoy, a third-party app that Atlassian makes use of to coordinate in-office assets, was compromised and revealed,” Atlassian spokesperson Megan Sutton stated in an announcement shared with TechCrunch. “Atlassian product and buyer information shouldn’t be accessible by way of the Envoy app and subsequently not in danger.”
Envoy, nonetheless, was simply as fast to rebuff Atlassian’s claims. Envoy spokesperson April Marks advised TechCrunch that the startup is “not conscious of any compromise to our techniques,” including that preliminary analysis had proven that “a hacker gained entry to an Atlassian worker’s legitimate credentials to pivot and entry the Atlassian worker listing and workplace flooring plans held inside Envoy’s app.” Envoy declined to supply proof of its claims or to reply particular questions.
Quickly after the startup’s denial, Atlassian modified its stance to align extra intently with Envoy. Atlassian’s Sutton advised TechCrunch that the corporate’s inside investigation since revealed that attackers had truly compromised Atlassian information from the Envoy app “utilizing an Atlassian worker’s credentials that had been mistakenly posted in a public repository by the worker.”
“As such, the hacking group had entry to information seen by way of the worker account which included the revealed workplace flooring plans and public Envoy profiles of different Atlassian staff and contractors,” Sutton added. “The compromised worker’s account was promptly disabled eliminating any additional menace to Atlassian’s Envoy information. Atlassian product and buyer information shouldn’t be accessible by way of the Envoy app and subsequently not in danger.”
Whereas it seems that Envoy was not at fault for the Atlassian information breach, the office administration startup — which counts plenty of big-name clients, together with Hulu, Pinterest, Slack, and Stripe — isn’t any stranger to safety incidents. In 2019, safety researchers at IBM uncovered two flaws in Envoy’s customer administration system that would have uncovered buyer information.