Popular Australian software firm Atlassian Corp and workplace management software company Envoy were in dispute over a data breach that exposed the data of thousands of Atlassian employees.
The SiegedSec hacking group claimed responsibility for the breach and leaked data via its Telegram channel.
The stolen data includes the names, email addresses, work departments, and phone numbers of more than 13,000 Atlassian employees and floor plans of Atlassian offices in San Francisco and Sydney.
Initially, Atlassian blamed Envoy for the breached data. However, Envoy dismissed Atlassian’s claims, stating:
“a hacker gained access to an Atlassian employee’s valid credentials to pivot and access the Atlassian employee directory and office floor plans held within Envoy’s app.”
Later, Atlassian's spokesperson Megan Sutton informed TechCrunch reporters that their internal investigation revealed that attackers had accessed data from the Envoy app using an employee's credentials that had been mistakenly posted in a public repository.
Atlassian’s own security documentation states that it’s Security Assistant tool:
"Identifies any accidental or inadvertent disclosure of secrets in code repositories (e.g. authentication tokens or cryptographic keys)"
Basic security hygiene practices are that credentials, API keys and other secrets shouldn’t be posted in repositories, and certainly not in public repositories.