Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Oops you've made a malformed request.


Switched phones, and forgot to switch my 2FA settings before I did so.  I no longer have access to the old phone.

So I submitted a request to recover the account, which makes you wait 12 hours or what.  Fine.  Got the email this morning containing the recovery link.

It doesn't work.  "Oops you've made a malformed request" every time.  After poking thru the distressingly large number of threads here of ppl having the same issue, here's what I have tried so far, based on those threads:

3 browsers:  Firefox, Chrome, Safari.  I have disabled all extensions in each one, I have cleared all site data on each one.  They are all the latest version.  Tried both regular and incognito windows.

No luck at all.

The error prompts me to contact support, which would be a neat trick, since I need to log in to do that and I can't.  I created this account specifically to ask this question.

Some other info:  I am literally the only person on my account.  There's no organization/enterprise/anything like that.  I am a lone developer.  THIS account is NOT the account with the issue.


1 answer

0 votes

Hi @hab,

Bitbucket uses Atlassian accounts for authentication and it is possible to set up 2FA for both. I would like to ask if you have 2FA set up for the Atlassian account ( or for the Bitbucket account (, or perhaps for both, and which one you are trying to recover now.

If you are trying to disable Bitbucket 2FA, there is a recovery option via SSH. If you have the SSH keys of this Bitbucket account in one of your machines, you can run the following command in a terminal on this machine

ssh recovery_codes

which will give you 6 recovery codes. Each of them is for one-time use only, so you could use one of them to log in to Bitbucket and a second one to disable 2FA (you can then enable it again with your new phone).

If this is not an option, could you please also let me know:

1. Does the URL giving you this error start with or with

2. If you log out from both and, are you then able to log in using your email and password, or do you get a 'malformed request' error as well? I'm just trying to narrow down the scope of the problem and see if this only occurs with the link in the recovery email or also when you attempt to log in without the recovery email.

Kind regards,

Hi Theodora.  Thanks for replying.

To answer your questions:

1 - it's

2 - Just tried without using the link in the email, and it lets me log in, but wants 2FA.

Out of curiosity, I tried running that ssh command, and I get: Perission denied (public key)

Not sure if that last point helps.

Thanks again!

Hi @hab,

Out of curiosity, I tried running that ssh command, and I get: Perission denied (public key)

If you navigate to the ~/.ssh directory on this machine, do you see any SSH key pairs there?

If so, you can try specifying the private key in the command as follows:

ssh -i ~/.ssh/id_rsa recovery_codes

where id_rsa replace with the name of your private SSH key if it is different.

In case you have multiple SSH key pairs in ~/.ssh and you don't remember which one you use for your Bitbucket account, you can try running the above command for each of the private SSH keys (by replacing the private SSH key name in the command).

If this doesn't work for you, or if there are no SSH keys in your ~/.ssh directory, another suggestion would be to try accessing the recovery link from another device, e.g. your phone, if that is possible.

Otherwise, please let me know and I can open a support ticket for you. We would need a HAR file generated when the recovery page opens/loads so we can check the request. Since the HAR file contains private data, I can open a support ticket for you (visible only to you and Atlassian staff) where you can upload it (I will also give you instructions on how to generate it).

Kind regards,

Hi @Theodora Boudale 

So I checked.  I do have ssh keys- 2 of them, but neither seems to be for the account I am trying to recover.  I also remember switching computers around the same time I switched phones, so very possible I could have missed a keyfile when switching over.

At any rate - yes, please open a support ticket. 

Thank you!

Hi @hab,

I went ahead and opened a support ticket for you, for the email of the community account you used to post here. You will receive an email with a link to the support ticket. In case you haven't received the email, please feel free to let me know and I will post the link here (no one other than you and Atlassian staff can view it, even if they have the link).

I would like to ask if you could provide the following in the support ticket, so we can better help you:

1. The email of the account you're having issues with

2. Your timezone: we provide 9/5 regional support and a timezone is needed for the support ticket. I have set a random one at the ticket, but if it doesn't match your own timezone then you will get responses outside your work hours.

3. A HAR file for the page that gives you the error.

You can follow the steps below in Chrome:

(a) Open the Bitbucket 2FA recovery email in Chrome (without selecting the recovery link yet)
(b) From Chrome Menu at the top-right of your browser window, select Tools > Developer Tools.
(c) In the Developer Tools panel, select the Network tab. After you do, check the options Preserve log and Disable cache right below the tab's name
(d) Hit F1 to open The Developer Tools settings, scroll down to find the option Auto-open DevTools for popups and enable it
(e) Select the recovery link "Log in to my account" from the 2FA recovery email. A new tab should open, along with a Developer Tools panel.
(f) Wait until the page has finished loading. Then, right click in the area where the network records are shown and select Save as HAR with content to save the HAR file on your machine.
(g) Before attaching the HAR file to the support ticket I opened fro you, ensure to remove/censor any sensitive information using a text editor (i.e. remove passwords, secrets, etc).

If you have any questions, please feel free to let me know.

Kind regards,

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Bitbucket

Git push size limits are coming to Bitbucket Cloud starting April 4th, 2022

Beginning on April 4th, we will be implementing push limits. This means that your push cannot be completed if it is over 3.5 GB. If you do attempt to complete a push that is over 3.5 GB, it will fail...

2,170 views 2 9
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you