Over the last months, Bitbucket Pipelines has experienced a massive increase in abuse from bad actors taking advantage of the free minutes to mine cryptocurrencies.

This has had a big impact on our CI/CD platform requiring our team to stay on top of this 24/7 to maintain the best quality of service for our customers and evaluators.

Upcoming changes

In order to reduce abuse, we will be progressively rolling out changes in our CI/CD user experience for new users:

From July 15, 2021, new Bitbucket Cloud users will require two-step verification configured to enable Bitbucket Pipelines. The change does not impact existing paid teams.

Two-step verification secures your account by requiring a second confirmation, in addition to your password, to access Bitbucket Cloud. To enable it, go to your Bitbucket personal settings page and select Two-step verification under the Security heading, which will take you through the on-boarding process.

Please note that pushing back to your repository or making API calls with your username and password as credentials (basic authentication) is not supported with two-step verification. We recommend users to use other authentication methods such as App Password for better granularity and security controls via scopes.

What have we done so far…

In addition to two-step verification, our engineering team has already shipped several improvements to protect our platform against abuse. Some examples:

  • Strictly enforcing pipelines minutes quotas, reducing the existing grace period for free tier users.
  • Automatic detection and blocking of abusive accounts.
  • Terminating in progress pipelines of abusive accounts.
  • Cluster isolation for trusted vs untrusted workloads for better containment during mining attempts.

We understand some mitigations are not an ideal customer experience, and we will keep working on improving and changing them over the next weeks. However, we firmly believe this is the best thing to do for our customers as it’ll help us invest our engineering resources in better ways, shipping the features needed to make our product better.

Changes to Bitbucket Pipelines due to crypto mining abuse