Atlassian's turnkey solution for enterprise single sign-on and secure user authentication contains an unpatched backdoor. The backdoor allows anyone to remotely take full control of a Crowd server and, according to Command Five, successful exploitation "invariably" results in compromise of all application and user credentials as well as accessible data storage, configured directories (for example Active Directory), and dependent systems.
Despite having over 25,000 customers, including lots of big names and Fortune 500 companies, this isn't the first time Atlassian has been in the news for epic security-fail. In 2010 Atlassian suffered a security breach in which hackers compromised customer credentials that were stored on a server in plain-text. The server then collapsed under load as customers scrambled to change their passwords.