Atlassian and Envoy briefly blame each other for data breach

Australian package giant Atlassian and Envoy, a startup that provides workplace guidance services, were astatine loggerheads connected Thursday complete a information breach that exposed nan information of thousands of Atlassian employees.

As first reported by Cyberscoop, a hacking group known arsenic SiegedSec leaked information connected Telegram this week that it claimed to person stolen from Atlassian. This information includes nan names, email addresses, activity departments, and telephone numbers of astir 13,200 Atlassian employees, on pinch level plans of Atlassian offices located successful San Francisco and Sydney, Australia.

“SiegedSec is present to denote that we person hacked nan package institution Atlassian,” SiegedSec said successful a Telegram connection seen by TechCrunch. “This institution worthy $44 cardinal has been pwned by nan furry hackers uwu.” SiegedSec made headlines past twelvemonth aft it leaked 8 gigabytes of information from nan authorities governments of Kentucky and Arkansas, successful protestation astatine nan states’ efforts to enact abortion bans pursuing nan Supreme Court’s determination to overturn Roe v. Wade.

Atlassian was speedy to constituent nan digit of blasted for nan breach astatine Envoy, which nan Sydney-headquartered institution uses to shape its agency spaces. “On February 15, 2023, we learned that information from Envoy, a third-party app that Atlassian uses to coordinate in-office resources, was compromised and published,” Atlassian spokesperson Megan Sutton said successful a connection shared pinch TechCrunch. “Atlassian merchandise and customer information is not accessible via nan Envoy app and truthful not astatine risk.”

Envoy, however, was conscionable arsenic speedy to rebuff Atlassian’s claims. Envoy spokesperson April Marks told TechCrunch that nan startup is “not alert of immoderate discuss to our systems,” adding that first investigation had shown that “a hacker gained entree to an Atlassian employee’s valid credentials to pivot and entree nan Atlassian worker directory and agency level plans held wrong Envoy’s app.” Envoy declined to supply grounds of its claims aliases to reply circumstantial questions.

Soon aft nan startup’s denial, Atlassian changed its stance to align much intimately pinch Envoy. Atlassian’s Sutton told TechCrunch that nan company’s soul investigation since revealed that attackers had really compromised Atlassian information from nan Envoy app “using an Atlassian employee’s credentials that had been mistakenly posted successful a nationalist repository by nan employee.”

“As such, nan hacking group had entree to information visible via nan worker relationship which included nan published agency level plans and nationalist Envoy profiles of different Atlassian labor and contractors,” Sutton added. “The compromised employee’s relationship was promptly abnormal eliminating immoderate further threat to Atlassian’s Envoy data. Atlassian merchandise and customer information is not accessible via nan Envoy app and truthful not astatine risk.”

While it appears that Envoy was not astatine responsibility for nan Atlassian information breach, nan workplace guidance startup — which counts a number of big-name customers, including Hulu, Pinterest, Slack, and Stripe — is nary alien to information incidents. In 2019, information researchers astatine IBM uncovered 2 flaws successful Envoy’s visitant guidance system that could person exposed customer data.