Security Advisory - Password Change request from JIRA Support

MJM July 21, 2021

I'm confused about the email I received an email from Atlassian Security Team, and I am confused. Here is the email I received.

Hi,

We have recently discovered that we have stored passwords for the personal email account/s you have used to login and pull in emails to Jira Cloud as plaintext files in an encrypted database. To add an extra layer of security, we have updated our processes to ensure that email account passwords are encrypted with a custom key before they are stored in the encrypted database. The database was only accessible to a limited set of Atlassian engineers for the platform.

We've investigated all access and audit logs and have not found any signs of unauthorized access. However, out of an abundance of caution, we recommend that you reset your email account/s password for the email address you have connected with Jira Cloud as Incoming Mail servers.

To list which accounts are impacted, Please check the list of Incoming Mail servers set for Jira Cloud Instances you own (any email address that is not username@instance_name.atlassian.net would be personal).

In the Jira Admin section:

1.

Choose Settings > System.

 

2.

Select Mail > Incoming Mail.

We are committed to implementing the best security practices for our customers and improving our processes, and apologize for any inconvenience this may cause.

 

Here's my Question:

 

Does this only apply to Incoming Mail accounts under the Settings > System > Mail > Incoming Mail?

 

Or does it also apply to the mail accounts set up for the Project under Project Settings > Email Requests?

Or am I changing the password for my actual SMTP account?

1 answer

1 accepted

0 votes
Answer accepted
Jack Brickey
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 21, 2021

I received the same and checked with Atlassian on this for further information. In the end it only applies to the incoming email handlers as mentioned in the directions.

MJM July 22, 2021

I'm still a little confused. I have only have the "jira@xxxxx.atlassian.net" Cloud Mail Server Listed.

How would I go about changing that password?

 

Incoming Mail

Set up your incoming mail server

Here are the current mail servers that are configured for Jira.

NameUsernameHost NameAuthentication TypeActions

Default Cloud Mail Serverjira@xxxxx.atlassian.net  
  •  
  •  
Default Cloud Mail Serverjira@xxxxx.atlassian.net
Jack Brickey
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 23, 2021

You would not change the password associated with that email. If that’s the only one you have I’m not sure why you would have received the security email TBH. Is it possible that at one time you had inbound emails configured and later removed? In any event you certainly are welcome to reach out to Atlassian support to find out more.

Suggest an answer

Log in or Sign up to answer