You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
I've been using Bitbucket for the source repo, public issue tracker, wiki, etc., for my projects since 2015. Once in a while I've seen a spam comment added to an existing issue, but today I'm seeing a number of actual new issues being opened that are completely spam. Here's one that I haven't deleted yet so it could serve as a concrete example:
The volume is still pretty low right now, but I fear I'll wake up one morning with hundreds or even thousands of such issues having been logged.
Is there any first-class mitigation strategy aside from changing the issue tracker from public to private? That wouldn't really be a viable option for me as this is the public issue tracker for users of my project.
Any insights or suggestions you can provide are sincerely appreciated.
Hi. I've been communicating with Atlassian/Bitbucket Cloud support for a few days now and they're actively working on a solution for this. The problem is NOT solved yet, though, and they recommend that any affected public issue trackers be made private until they are. If you have a large number of spam issues, they should be able to help remove them en masse. I'll be happy to post an update here when they've informed me of a solution.
We are seeing spam from the same malicious group starting today on several of our public issue trackers. I suspect BitBucket is being subjected to a widespread concerted spam attack this evening.
This incident highlights the woefully inadequate tools that BitBucket provides repo admins for mitigating spam/defacement attacks.
Please go vote and comment on feature request BCLOUD-21131, which is not a fool-proof solution but at least would be a step in a positive direction.
Hi @bonachea. A few questions if you don't mind and have the time:
What are you doing with your public issue trackers that are under attack? Have you changed them to private temporarily until this attack ends? If so, how are going to decide when it's safe to make them public again?
How are you letting users of disabled issue trackers know what's going on in the interim? I really wish that a public/read-only option was offered so that the issue tracker is still available publicly in a read-only state.
Have you reported the attacker accounts to Atlassian somehow? If so, what report channel did you use?
Are you aware of any kind of bulk issue delete mechanism in BitBucket Cloud? After changing my issue tracker to private, I had to remove ~600 spam issues this morning, one at a time, three clicks per-issue.
Thanks in advance for any additional guidance you can provide.
Hi @RoseSilverSoftware - I recommend creating an Atlassian support ticket here:
We've had a similar problem before and they are disappointingly slow to respond, but they do eventually respond.
I strongly agree that issue tracker features like a public/read-only state and bulk edits (a frequently requested feature) would be useful in this situation. Unfortunately BitBucket Cloud's issue tracker is deliberately underpowered for business reasons (self-competition) so I wouldn't hold your breath for any "fancy" features like that.
Sadly the best advice is probably to ditch Atlassian products entirely and move to a competitor hosting service whose business model doesn't depend on saddling non-enterprise users with offensively feature-poor tools.