Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

SSH key changed for bitbucket.org

Alan Hardman
Alan Hardman
Contributor
June 2, 2026

Is this an expected change, or is something different on Bitbucket's end? Most connections over SSH from our network are showing remote host identification warnings.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/user/.ssh/known_hosts:3
remove with:
ssh-keygen -f "/home/user/.ssh/known_hosts" -R "bitbucket.org"
Host key for bitbucket.org has changed and you have requested strict checking.
Host key verification failed.

There isn't a key change blog post or notification since 2023.

Answer
Watch
Like # people like this
833 views

7 answers

1 accepted

0 votes
Answer accepted
Alan Hardman
Alan Hardman
Contributor
June 2, 2026

I got a response from Bitbucket's support team, this was a temporary configuration error and not a security breach.

I hope you are doing well. I am Sandeep, Senior Support Engineer in Bitbucket Cloud support team and I will be helping you with this case.

I am sharing below the information about the SSH.

Who this is for

Between 2026-06-02 19:38 UTC and 20:09 UTC, bitbucket.org's SSH service temporarily presented our previous host key used prior to Bitbucket’s 2023 Host Key Rotation. If, during that window, you removed your saved bitbucket.org entry and re-accepted the new key, your known_hosts may now contain the wrong (old) key.

We've corrected the service, so it's once again presenting the correct host keys.

...

Was this a security incident?

No. Despite the warning, no security incident has actually occurred. This was triggered by a configuration update which inadvertently caused Bitbucket to serve SSH traffic using the previous, pre-2023-rotation key.

If you received a REMOTE HOST IDENTIFICATION HAS CHANGED error in this window, your connection was still private. If you have any concerns, refer to the Fingerprints section below.

Reply
3 votes
Alexandre Fillatre
Alexandre Fillatre
June 2, 2026

DO NOT update your `known_hosts` at the time. This is the former key that was leaked (details here : https://www.atlassian.com/blog/bitbucket/ssh-host-key-changes).

This does not seem legit at all, so please wait for Atlassian to issue an official statement.

View More Comments
Alan Hardman
Alan Hardman
Contributor
June 2, 2026

My guess is that it was a misconfiguration somewhere that switched back to the old key rather than someone intentionally compromising the bitbucket.org domain and using the old key to avoid detection, but I guess we'll find out!

Like
Reply
3 votes
chamilton
chamilton
Contributor
June 2, 2026

I get the same message... it just happened within the last 20 minutes I believe... I was able to connect prior to that.  I feel that Bitbucket should publish a notice about this

View More Comments
Joseph T_ Bradley
Joseph T_ Bradley
Contributor
June 2, 2026

Agreed. Looks like the last time they rotated keys was a few years ago, and they published a notice back then, with the new signatures.  

https://www.atlassian.com/blog/bitbucket/ssh-host-key-changes

 

 

Like
Joseph T_ Bradley
Joseph T_ Bradley
Contributor
June 2, 2026

Looks like the older keys have been restored now? 

Like # people like this
João Marcelo
João Marcelo
June 2, 2026

This happen to be the fingerprint of the old keys... but they were compromised (the very reason to have been rotated).

Like Alan Hardman likes this
chamilton
chamilton
Contributor
June 2, 2026

someone at atlassian just got in trouble, lol

Like
Marcel
Marcel
June 2, 2026

Why does it take Bitbucket so long to confirm the incident? Is this forum the right place to report this?

Like
Reply
1 vote
Colton Lathrop
Colton Lathrop
June 2, 2026

Yup... I'm not seeing anything about them announcing it.

I'd suggest NOT modifying your known_hosts until we get a response from bitbucket around this.

Reply
0 votes
Nico Aguilera
Nico Aguilera
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 2, 2026

This caused lots of loss of productivity, as dozens of people got the error and stopped their work to try to troubleshoot it.

Need full transparency about what happened here! What is the explanation??

Reply
0 votes
commodoretim
commodoretim
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 2, 2026

The solution appears to be changing the host used by the remote from bitbucket.org to ssh.bitbucket.org as described at https://community.atlassian.com/forums/Bitbucket-articles/Upcoming-change-to-Bitbucket-Cloud-SSH-access-move-from/ba-p/3234032.

View More Comments
Keith Turner
Keith Turner
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 2, 2026

The solution is to not trust bitbucket.org until Atlassian explains why the trust chain broke down.  The article you mention has a 'implement by' date that's still five months away.

Like Alan Hardman likes this
Rose Rey
Rose Rey
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 2, 2026

The problem appears to have been on Atlassian's side. I have made no changes locally and am able to successfully git fetch again.

Like
Mark Garrett
Mark Garrett
June 2, 2026

I don't think so. That is talking about changing the URL in your rpos to hit a new remote and the fact that you will need to pull new keys for the new subdomain. What everyone here (myself included) is talking about is the fact that the RSA keys for "bitbucket.org" changed without notice. They have been pretty forthcoming about previous changes, so this is a bit out of character. Considering the plethora of supply chain attacks this year, we are all pretty justifiably paranoid.

These SSH keys are supposed to be inviolate for this very reason. ANY change that isn't telegraphed far in advance (like the November 2026 deadline in your article) should be considered suspect.

Like # people like this
commodoretim
commodoretim
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 2, 2026

I forgot to mention also verifying the presented host keys against the ones published at https://support.atlassian.com/bitbucket-cloud/docs/configure-ssh-and-two-step-verification/.

Perhaps the Bitbucket infrastructure was corrected just moments before I tried the new remote and my "solution" is irrelevant.

Like
Reply
0 votes
Marcel
Marcel
June 2, 2026

I have the same issue so I'll follow this topic.

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2026 Atlassian
    Privacy Policy Notice at Collection Terms Security