Atlassian and Contegix (who together make the Hibernate JIRA possible) have found evidence that the Hibernate JIRA has been compromised through the recent JIRA exploit affecting numerous Open Source JIRA instances.

At this time they are still investigating and analyzing to determine the extent of the compromise. Specifically it is unknown yet whether passwords or user data in general were accessed.

In the meantime, Contegix will be upgrading the JIRA software. As a protection measure, all passwords have been reset. On logging back in you will be forced to reset your password via email (look for the Can't access your account? link next to the Log In button).

18. Apr 2010, 23:41 CET | Link

Investigation is continuing, but there is no evidence of compromised passwords or data and Atlassian believes it unlikely. Passwords have been reset solely as a precaution.

19. Apr 2010, 05:22 CET | Link

Why are people still storing passwords cleartext?

19. Apr 2010, 07:29 CET | Link
Glenn Butcher | gbutcher(AT)

The passwords were hashed (not stored in cleartext), and there is no indication the attacker obtained them anyway. Resetting passwords was a precautionary measure only.

Glenn Butcher Atlassian

19. Apr 2010, 15:18 CET | Link
And why not following recommendations, ie. salting the password and doing many hashing iterations so that when the hash is compromised the password "is not" ?
20. Apr 2010, 02:16 CET | Link

They're not saying passwords were immediately compromised. But if a user didn't have a sufficiently long or complicated password it is possible to discover the password from the hash via brute force. So, it's a good idea to go ahead and reset passwords so the hashed versions are rendered completely useless.

26. Apr 2010, 16:19 CET | Link
Florimon van Putte | florimon(AT)

After noticing I was locked out of my account, as per the instructions I clicked on the 'forgot password' link, to have my password reset. I received the email, following the link in it that took me to the password change page, then changed my password into what it used to be. I then tried to login again, but the login page now requires a CAPTCHA to be entered as well, and no matter how many times I try, each time it says that the captcha is incorrect. And now while typing this, I tried one more time, and now it doesn't even display the CAPTCHA, and when I go to the Help! I forgot my login details... page again, it says it doesn't know my username, and not even my email-address ? Also, the 'Contact administrators' page first displayed an empty list, but now returns a 403: Forbidden ... Anyone know what's going on?