More Security in the Atlassian Cloud: The Credential Invalidator Protects Against Account Takeovers by Stolen Session Cookies

In an earlier blog post, Atlassian introduced a new security service for monitoring stolen credentials (username and password combinations) that have fallen into the hands of malicious hackers during third-party data breaches: the Credential Invalidator. Since then, the developer says it has been able to render more than 200,000 such combinations useless to hackers.

In recent months, a new trend has emerged in the criminal underground of the Internet: Session cookies are being stolen from end devics to gain unauthorized access to all sorts of accounts, including Atlassian accounts. These session cookies are then traded and shared in criminal circles.

To mitigate this risk, Atlassian monitors stolen session cookies and invalidates them, rendering them useless to the hacker.

What are session cookies?

Through a "session," a website tracks users as they move between pages and interact with the website. When the user logs in, a session cookie is created on the website's server, which is deleted when the user logs out.

Thanks to these session cookies, the website "knows" the user, and the user experience runs much better and smoother. Without such a cookie, for example, users would have to re-authenticate every time they accessed another page.

And since session cookies are used all over the web and stored on users' devices for good reasons, they have become the target of malicious hackers. Session cookies are created every time a user logs in, and hackers try to steal this information from victims' devices to use it on their own devices and access protected data with false identities.

Protection against account hijacking in the Atlassian Cloud

Atlassian collects information about stolen sessions and takes action by deleting all sessions of the affected users. This makes the stolen information instantly worthless and useless to the hacker. Users, in turn, have to log in again.

Since January 2023, Atlassian has been able to take action on more than 25,000 session cookies found in third-party data breaches. The process for collecting and handling such information is automated.

What can customers do when managing sessions?

More security in the Atlassian Cloud: The Credential Invalidator protects against account takeovers by stolen session cookies - Atlassian Cloud account settings

If a customer forgets their password, they can use the "Can't log in?" link on the login screen to reset their password. This will automatically invalidate all active sessions.

More security in the Atlassian Cloud: The Credential Invalidator protects against account takeovers by stolen session cookies - Atlassian cloud can't log in option

Customers can view their active sessions across their devices at any time by clicking "Recent Devices" in the Security section of the account settings.
Organisation administrators can configure session timeout for inactivity in the admin settings. From the Admin Console, it is possible to reset all sessions; doing so will log out all members within ten minutes.

Secure Atlassian ID accounts

From a security perspective, enabling multi-factor authentication (MFA) for Atlassian Cloud users is highly encouraged. The login process involves more steps than just simply entering a password.

For example, users also have to enter a code generated by a mobile app on their smartphone. The relevant section of the Atlassian doc explains step-by-step how to set up MFA, which definitely provides additional protection.

The ability to manage sessions appropriately and effectively is a valuable tool in terms of the organization's security strategies. Atlassian takes security issues seriously and works hard to keep up with potential threats. By implementing session cookie monitoring, vendors can pick up on potential threats and ensure that new threats are minimized as much as possible.

The future for Atlassian customers is in the cloud

Atlassian is discontinuing support for its server products in February 2024. We recommend using the remaining time to familiarize yourself with migrating to the cloud. Or better yet, try it out for yourself: With our Cloud Migration Trial, you can test Atlassian Cloud and gain initial experience without affecting your existing production system.

And we are happy to answer any questions you may have about the Atlassian Cloud. If you are still looking for a competent companion for your journey to the cloud, we are an Atlassian Platinum Solution Partner and have already supported numerous migrations. We are happy to support you - just send us an e-mail!

Further Reading

Forget Less and Ensure Quality with didit Checklists for Atlassian Cloud Forget Less and Ensure Quality with didit Checklists for Atlassian Cloud Forget Less and Ensure Quality with didit Checklists for Atlassian Cloud