Cyber Incident Victim: Atlassian
Date:
Feb 2023
Location:
Australia
Summary
A hacking group compromised Atlassian, publicly releasing data for over 13,200 employees—including names, email addresses, and departmental roles—along with office floor plans. The breach resulted from attackers obtaining valid credentials via a third-party workplace app after an employee accidentally exposed their login details in a public repository; however, internal reviews confirmed no compromise of core systems, product data, or customer information. Both the company and the third-party provider stated their respective platforms were not breached, attributing the incident solely to unauthorized credential use.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 15, 2023, Atlassian detected unauthorized access leading to the online exposure of internal employee data and office floor plans. The following day, February 16, the hacking group SiegedSec publicly claimed responsibility for breaching the company, announcing the intrusion through a message that mocked Atlassian’s $44 billion valuation. They published two datasets: a file containing 13,200 records with current employee information including names, email addresses, work departments, and other employment details, alongside architectural floor plans for Atlassian’s San Francisco and Sydney office locations. Initial statements from Atlassian indicated the data originated from Envoy, a third-party application used for office resource coordination, with assurances that no product or customer data was compromised. Subsequent investigation revealed attackers obtained an Atlassian employee’s credentials that had been accidentally exposed in a public repository, using these valid credentials to extract data specifically from the Envoy application.
Atlassian and Envoy collaborated to confirm through log analysis that the attackers leveraged the compromised employee account to access and download the exposed data, with Envoy emphasizing its own systems were not directly breached and no other customers’ data was affected. The incident impacted approximately 13,200 employee records – nearly 50% more than Atlassian’s self-reported workforce of 8,813 employees in August 2022 – indicating potential inclusion of former staff or contractors. The published floor plans introduced physical security concerns for Atlassian’s offices. SiegedSec, active since April 2022, previously targeted state government systems in Kentucky and Arkansas in June 2022, framing those attacks as responses to abortion legislation post-Dobbs v. Jackson. While the group referenced Atlassian’s June 2022 critical vulnerability in Confluence Server and Data Center software – exploited by multiple threat actors to execute arbitrary code – no evidence linked that prior flaw to this credential-based breach. Atlassian did not disclose additional containment measures beyond confirming the credential misuse mechanism through its joint review with Envoy.