Security Advisory - 2016-06-17 - Password Resets

This week we reset the passwords on a number of Bitbucket Cloud accounts to prevent them from being misused.

We detected what appears to be automated credential testing activity against Bitbucket Cloud. As a direct result, we've reset the password of each account where the automated credential test succeeded. 

What's going on

You may have heard about some high profile breaches and subsequent unauthorised publication of stolen user credentials in the past few weeks. We believe the password data from one or more of these breaches was used in this attack against Bitbucket Cloud. This was not a password guessing or brute forcing attack, and the credentials used in the attack did not come from Bitbucket Cloud or Atlassian. We reset your password as a precaution, and apologize for any inconvenience this may have caused but we wanted to secure your account when we noticed the suspicious activity. 

We have evidence in our logs that the attackers executed an API call to retrieve a list of the user repositories. These calls were initiated from a various range of IP addresses and our protection platforms have been updated with this data.

We can also confirm that no other Atlassian services were affected by this attack.

If your password no longer works and you received a password reset email on June 15th, you can use Bitbucket Cloud's forgot password functionality to set your new password. If you used your Bitbucket Cloud password elsewhere, we suggest you change your password on those services to protect your other accounts. 

If you didn't receive a notification email and can still log into your account, you weren't affected. We still encourage you to secure your accounts, though.

What else you can do

In addition to resetting your password, we have a few additional ways for you to secure your Bitbucket Cloud account:

  1. Enable two-step verification. This lets you use time-based codes on a mobile device, or special hardware, to protect your account even if someone else gets your password.

  2. Review the "Sessions" link in your Bitbucket Cloud profile to see which IPs and browsers have used your account and when.

  3. Use a strong password that is unique to each service - don't use the same password on multiple sites. (Tools like LastPass or 1Password may help with this.)

  4. Change your passwords regularly. (Tools like LastPass or 1Password may help with this, too.)

Still need help?

The Atlassian Community is here for you.