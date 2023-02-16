Note: This story and headline have been updated following a statement from Envoy denying that their systems were breached in the incident and a follow up clarification from an Atlassian spokesperson.

Australian software company Atlassian is claiming that a breach of a third-party application it uses has resulted in some internal employee data being leaked on the web. While independent researchers at cybersecurity firm Check Point have backed up claims that the data does not appear to have come from Atlassian's systems, the makers behind the app say an Atlassian employee's compromised credentials are to blame.

In a statement sent to SC Media, an Atlassian spokesperson said the leak appears to have originated via their acount with Envoy, which makes and sells workplace collaboration software.

“On February 15, 2023 we learned that data from Envoy, a third-party app that Atlassian uses to coordinate in-office resources, was compromised and published. Atlassian product and customer data is not accessible via the Envoy app and therefore not at risk,” the spokesperson told SC Media. “The safety of Atlassians is our priority, and we worked quickly to enhance physical security across our offices globally. We are actively investigating this incident and will continue to provide updates to employees as we learn more.”

After SC Media reached out to Envoy for comment, a spokesperson sent a statement saying the company is not aware of any evidence that their systems were breached, claiming their own research indicates the incident stemmed from a compromise of an Atlassian employee's credentials.

"We’re investigating this right now and are not aware of any compromise to our systems. Our initial research shows that a hacker gained access to an Atlassian employee's valid credentials to pivot and access the Atlassian employee directory and office floor plans held within Envoy’s app," the spokesperson wrote.

Following publication of that statement, Atlassian's representative later reached out to clarify to SC Media that they did not mean to imply the leaked data was obtained through a hack of Envoy's systems.

"While we confirmed our data on the Envoy app was indeed compromised and published, we did not speculate on how the threat actors gained access as our security team was exploring all possible modes of entry and working closely with Envoy to do so," the spokesperson said. "While we do not wish to speculate, for the sake of clarification, we are aligned with Envoy in the belief that our app data was not compromised due to a breach of their systems."

Earlier this week, a hacking group calling itself “SiegedSec” began posting on Telegram that they had compromised Atlassian's network and leaked employee data in a Valentine’s Day-themed note, claiming to have obtained email addresses, phone numbers, and names of employees as well as “a lot more!”

“SiegedSec is here to announce we have hacked the software company Atlassian,” the hackers wrote, according to a screenshot obtained by SC Media. “This company worth $44 billion has been pwned by the furry hackers uwu…We are leaking thousands of employee records as well as a few building floorplans. These employee records contain email addresses, phone numbers, names and lots more!”

Screenshot of message from SiegedSec hacking group claiming to have hacked Atlassian. Atlassian and independent researchers say the breach originated with third party app Envoy. (Image credit: Check Polnt Research)

However, independent researchers corroborated some of Atlassian’s claims, including their core contention that the data leaked online does not appear to have been taken directly from Atlassian systems.

Check Point researchers told SC Media the files and blueprints involved are consistent with the type of third-party data that Envoy would have stored and were stamped with Envoy’s logo. Lending further credence to the idea, despite claiming to have hacked directly into Atlassian’s systems, SiegedSec did not leak any other types of data.

The data leaked does not appear to be particularly valuable, and researchers at Check Point said it's not clear whether SiegedSec's motivations are financial, self-promotional or simply to cause chaos.