Atlassian Stored Passwords in Cleartext?

The e-mail does mention that "this security issue only affects Atlassian customers who created an Atlassian account and purchased one of our products before June 2008. Since then, we have been using a more secure user management system based on Atlassian's Crowd product".

If confirmed, this will cause major damage to the company's reputation. Atlassian is supposed to "get it". Apparently they don't. Very disappointing.

There's absolutely nothing in this email saying they stored passwords in "clear text". They could have been stored hashed with an older algorithm. Maybe not the best thing to do, but that's not the same as clear text. If someone obtained the hashed passwords, they might be able to crack them (salted or not).<p>They are doing the responsible thing by informing their users. It's posts with titles like this that prevent more companies from disclosing security breaches.

Well, they could also have been using unsalted hashes, and they're afraid someone might use a rainbow table to find out the original password. Still bad, but not nearly as bad.

Too much conjecture, not enough fact.

A post describing the security breach in more detail has been published on the Atlassian blog: <a href="http://blogs.atlassian.com/news/2010/04/oh_man_what_a_day_an_update_on_our_security_breach.html" rel="nofollow">http://blogs.atlassian.com/news/2010/04/oh_man_what_a_day_an...</a><p>Looks like they were storing the passwords of older accounts in clear-text (see 'Lessons we've learned today').

They kept the password properly encrypted but they just keep a copy in a backup_password field for emergencies.