Apache server suffers hack attack

An attack on Apache’s project server has resulted in passwords being stolen from all users.

Hack attack

Hackers have attacked the Apache Software Foundation's (ASF) project server and stolen the passwords of all its users.

The attack began on 5 April when hackers broke into Apache's Atlassian JIRA software used to track all its projects and any bugs that emerge.

They sent server admins a TinyURL link claiming they were having problems whilst browsing projects. When admins clicked on the link, it compromised their sessions and allowed the hackers to get hold of administrator rights.

By 9 April, the hackers had planted a password stealing programme and taken full control of JIRA, as well as Apache's Confluence and Bugzilla programmes.

"If you are a user of the Apache hosted JIRA, Bugzilla, or Confluence, a hashed copy of your password has been compromised," said a blog post from the Apache Infrastructure team.

It has warned users of any of these programs to change their passwords, especially if they logged in between 6-9 April.

It has also left those who had Atlassian accounts before July 2008 in danger as an old unencrypted database containing customer passwords was left online and could have been compromised.

"We made a big error," admitted Mike Cannon-Brookes, chief executive of Atlassian, in a blog post. "For this we are, of course, extremely sorry."

He added: "The legacy customer database, with passwords stored in plain text, was a liability. Even though it wasn't active, it should have been deleted. There's no logical explanation for why it wasn't, other than as we moved off one project, and on to the next one, we dropped the ball and screwed up."

Apache is running JIRA on a proxy configuration for the meantime and has made a number of changes to make the server safer.

"We hope our disclosure has been as open as possible and true to the ASF spirit," concluded the Apache blog. "Hopefully others can learn from our mistakes."

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Telegram bots are out to steal your one-time passwords
hacking

Telegram bots are out to steal your one-time passwords

30 Sep 2021
What makes a password secure?
Sponsored

What makes a password secure?

28 Sep 2021
Robust password policies cut cyber attacks by 60%
cyber security

Robust password policies cut cyber attacks by 60%

13 Sep 2021
1Password Business review: First choice for business travel and guest accounts
Security

1Password Business review: First choice for business travel and guest accounts

16 Jul 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021