In our first blog post, we announced a new service that monitors stolen username and password combinations from third-party (non-Atlassian) breaches. Since then, we have actioned 200,000+ credentials to prevent account takeovers.
In the last year, a new trend has been seen in the cyber underworld – stealing sessions from victims’ devices to gain unauthorized access to all sorts of accounts, including Atlassian accounts. These session cookies are then shared in the criminal underground.
To help mitigate some of this risk, Atlassian is monitoring for stolen session cookies and invalidates these to make them useless for the hacker.
What are session cookies?
A “session” is the way a website tracks you as you move between pages and interact with the website. A session cookie is created on a website’s server when you log in and is deleted when you log out. This session cookie makes it easy for a website to know it is still you and makes the web browsing experience much more convenient and hassle-free. Without session cookies, you would have to authenticate yourself every time you moved to a different page.
Because session cookies are used everywhere (for good reason) and stored on your workstation, they become a target for hackers. With session cookies being created for every site every time you log in, hackers try to steal this information from your device and use it on their own systems to log in – pretending to be you.
Preventing account takeover
Atlassian collects intelligence about stolen sessions and acts on this information by deleting all sessions for the impacted user, immediately making the stolen session cookie useless for the hacker. The user will only need to log in again on the Atlassian Cloud environment.
Since January 1st 2023, Atlassian has actioned 25,000+ session cookies found in third-party breach data and has automated the process of collection and actioning new intelligence.
What customers can do to manage their sessions
Atlassian offers several controls for administrators to manage sessions and has introduced some new features to combat the rise of session cookie theft.
Customer users can change their passwords as always via manage profile. Now, this action will log out of the active session used to change the password. Cloud customers can configure a new password in the security section of “Account Settings.”
If a customer forgot their password, they can use the “Can’t log in” link on the login form to reset their password. This automatically revokes all active sessions once a new password is set.
What’s the Difference between a password change and a password reset?
- A password reset is done when a user forgets their password and requests to reset it (“Forgot my password”).
- A password change is when the user is logged in and via “manage profile” configures a new password.
Customer users can track active sessions across associated devices at any time by visiting Recent Devices in the security section of “Account Settings.”
Organization admins can configure the idle session timeout in the admin settings console. From the admin console, you can also reset all sessions for the configured authentication policy. This logs out all members from the policy in about ten minutes.
Keeping Atlassian ID accounts safe
It is worth repeating: for each account that you manage, make sure to enable multi-factor authentication (MFA)!
What is mfa?
MFA is a multi-step login process that requires more information than just a password to login. For example, users are requested to fill in a code generated on a mobile phone app in addition to their password. Take a look at our documentation to see how to enable MFA, step-by-step. It offers additional protection and keep your account safe.
Having the ability to properly manage sessions is a useful tool in your defense-in-depth approach. Atlassian takes security very seriously and strives to be transparent in how we do so. By implementing monitoring for session cookies in the cyber underworld, we keep up with the trends in the industry and stay ahead of the hackers.
Trust is a product we deliver as a company. And that is a product never finished.
Our statement has not changed since Credential Invalidator was added to the defenses and this enhanced addition will continue to contribute to it.