IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Apache server suffers hack attack

An attack on Apache’s project server has resulted in passwords being stolen from all users.

Hack attack

Hackers have attacked the Apache Software Foundation's (ASF) project server and stolen the passwords of all its users.

The attack began on 5 April when hackers broke into Apache's Atlassian JIRA software used to track all its projects and any bugs that emerge.

They sent server admins a TinyURL link claiming they were having problems whilst browsing projects. When admins clicked on the link, it compromised their sessions and allowed the hackers to get hold of administrator rights.

By 9 April, the hackers had planted a password stealing programme and taken full control of JIRA, as well as Apache's Confluence and Bugzilla programmes.

"If you are a user of the Apache hosted JIRA, Bugzilla, or Confluence, a hashed copy of your password has been compromised," said a blog post from the Apache Infrastructure team.

It has warned users of any of these programs to change their passwords, especially if they logged in between 6-9 April.

It has also left those who had Atlassian accounts before July 2008 in danger as an old unencrypted database containing customer passwords was left online and could have been compromised.

"We made a big error," admitted Mike Cannon-Brookes, chief executive of Atlassian, in a blog post. "For this we are, of course, extremely sorry."

He added: "The legacy customer database, with passwords stored in plain text, was a liability. Even though it wasn't active, it should have been deleted. There's no logical explanation for why it wasn't, other than as we moved off one project, and on to the next one, we dropped the ball and screwed up."

Apache is running JIRA on a proxy configuration for the meantime and has made a number of changes to make the server safer.

"We hope our disclosure has been as open as possible and true to the ASF spirit," concluded the Apache blog. "Hopefully others can learn from our mistakes."

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Apple, Google, Microsoft expand their support for password-less sign-ins
cyber security

Apple, Google, Microsoft expand their support for password-less sign-ins

6 May 2022
NordPass teams up with insurance provider Cowbell Cyber to improve security awareness
cyber security

NordPass teams up with insurance provider Cowbell Cyber to improve security awareness

18 Feb 2022
NCA donates 225 million passwords to Have I Been Pwned
cyber security

NCA donates 225 million passwords to Have I Been Pwned

21 Dec 2021
Top 200 most common passwords of 2021 revealed
cyber security

Top 200 most common passwords of 2021 revealed

10 Dec 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022