News: First Apache. Now it's JBoss. Hibernate JIRA Compromised by Targeted XSS Attack.
Last week we reported that the Apache foundation's issue tracking software was compromised by a targeted XSS attack. Now it appears that the Hibernate JIRA was compromised as well.Steve Ebersole's Blog: Hibernate JIRA CompromisedThere's no need to panic. This isn't a problem with Hibernate or anything, just the issue tracking software. But this makes for two pretty high profile attacks in the past few days. If you have a public JIRA of your own, you might want to make sure nobody's been trying to get at your passwords.
- Posted by: Cameron McKenzie
- Posted on: April 19 2010 09:56 EDT
Codehaus' JIRA was hacked last week too. What really makes this bad is the attackers have users' login (sometimes an email address) and one can assume they've been able to brute-force the hashed passwords stored in the JIRA database.
One should hope those users have a different password for their email account or for that matter, any other account that could be inferred from their JIRA login. I wouldn't be surprised if the attackers take the login credentials and start attempting to guess bank or email logins.
Remember, if someone figures out your primary email password, they can (1) probably figure out what other online services you use from archived emails, and (2) oftentimes use the "forgot my password" link to have a password reset sent to the compromised email address!
I was contacted last week by both Apache and Atlassian about their compromised systems - and encouraged by them to change my password, and take other precautions. I'm a little disappointed that only only found out about the Codehaus problem here. Thanks for the heads-up.
Atlassian's JIRA instance was also hacked