Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Cybersecurity hygene on Atlasssian products needs improvement

meservo
meservo July 28, 2023

Hi Atlassian, I need to highlight some cybersecurity vulnerabilities with your products particularly Jira. I think some tightening and measures and Cybersecurity reporting points should be in place to prevent this sort of Atlassian product abuse. 

Examaple culprint Jira site: https://e20ltu31.atlassian.net/ Im currently attached by the hacker to this Jira site) 

Right under your noses Russian hackers are setting up these fake sites in Jira and then sending invites to emails that could be potential victims of viral infections or hack attacks. 

The invite I reieved from this site: https://e20ltu31.atlassian.net/

Screenshot_20230728-164547.png   

And the verification request I recieved from Atlassian to login eventhough I dont have an account yet. What you need to do in those emqails is: 1) Have an option like facebook to report unauthorised invitations. This is spam in my view as the viewer of the email. 2) prevent the invitation of emails that dont have associated Atlasssian accounts.Makes seense to prevent it from being abused in this way: 

Screenshot_20230728-164457.png  

 

Then I setup an account by resetting the password they created using my email and their own password. And went into Jira Service Management for site: https://e20ltu31.atlassian.net/

Screenshot_20230728-163300.png   

And other unsuspecting victims they invited in the Team list for this Jira site: 

Screenshot_20230728-163325.png    

It was necessary to expose this on your community site as you havent got proper Cybersecurity tip hotline or reporting email address to send all this even if I dont have an account. 

 

Please consider improving your cybersecurity practices or be used as a tool by hackers to attack Australian and other citizens who may be affected by these attacks. 

 

Regards, 

Answer
Watch
Like Andy Heinzer likes this
481 views

1 answer

2 votes
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 28, 2023

Hi @meservo 

Thank you for reporting this site.  I have created a request with my abuse team to investigate and take down this site.  It is clear that this user is abusing our terms of service.

In the future, should you receive an invitation to one of our sites that you are not expecting, you can forward that email message directly to https://www.atlassian.com/trust/report-abuse

This is one way you can help make our abuse team aware of such sites, without the need to create an account with us.  Sorry for the inconvenience here, thanks again for reporting this site to us.

Andy

View More Comments
meservo
meservo July 28, 2023

@Andy Heinzer on your Contact Us page you don't have a Abuse reporting form or have any mention of this abuse reporting email address. Please consider doing so. Also within each Jira site have abuse reporting options in various screens like abuse of posts in sites or sites themselves. That way its easier for victims to report. Thanks foe following this up. And hopefully my ideas about enhancing the email format to include "I didn't create the account" option flags it with abuse or accounts team to investigate. Please hunt those hackers down too.

Like
meservo
meservo July 28, 2023

Can you also please report this to abuse team for me? 

Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 31, 2023

Hi @meservo 

I already reported the site you first mentioned.  It has already been deactivated by our abuse team, based on this report.

Thanks for the feedback here as well.  I agree that Atlassian should do more to actively take in these reports, and from users without an account.  I have filed a few requests with different internal teams to push for these changes.  One of these is a public feature request over in https://jira.atlassian.com/browse/CLOUD-11637

It specifically seeks to have all our Atlassian Cloud sites include a means to notify us of abuse coming from a site.  I am not sure if or when this option might be considered, but I would recommend watching that ticket for updates to this. 

Thanks again for reporting this site to us.  It feels bad that we have provided a service to an account that abused it to send spam to you and others.  I will keep pushing for the change we need to detect earlier and prevent such future abuse.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira Service Desk
Jira Service Management
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security