Atlassian silently gave someone else ownership of my Bitbucket account

One of the nice things about being an academic is that you qualify for the discounted academic pricing offered by many companies. In some cases, the discount is 100%. For instance, Workflowy will give you one year of their paid plan for free if you sign up with a university email address. Todoist used to offer its product for half price if you signed up with a university email. The use of a university email address gives companies a cheap tool to validate that you’re qualified for the lower/free price.

In 2012, I was excited to learn that Atlassian would give you free private repos if you signed up with a university email address. That was a game-changer, because Github made no such offer, and all of my students and coauthors could get a Bitbucket account for free. For years, I used Bitbucket to hold my private projects.

Early in 2022, I experienced strange behavior. I went to the Bitbucket website and tried to log in. It took me to the K-State 2FA page. I had no idea how that could be, but it was legit, so I used the 2FA system like usual. It wouldn’t let me in. I could still push and pull from repos, but I couldn’t get into the website.

I planned to contact Atlassian’s support to find out what happened to my account. It’s the darndest thing. You have to log in to contact support. There’s literally no mechanism available to contact them for support if you get locked out of your account (in my case, due to their actions). I got creative. I created an account using a personal email address, created a support ticket, and gave them the information about my main account.

Their first response wasn’t helpful:

Thanks for the information, Lance. Please reach out to our Atlassian Community Support. There we have dedicated Atlassian Support Engineers and Community Leaders ready to help you.

As Community Support is the only channel available for our Free and academic license users, we make sure to pay special attention to getting to these requests.

Feel free to reach back if you have more questions.

I don’t know how a public internet forum is going to help with login issues. So I replied to emphasize that their forum wouldn’t be of any use, and that I had a decade worth of repositories locked up. Their second response gave me a few details:

I’ve checked with Support, they confirmed the kstate organization has claimed the domain @ksu.edu.

And is probably making the users to login using an external identity provider. Since the domain is claimed, you would have to talk with the Org admins to regain access back to your account.

What does it mean to say they have “claimed the domain”? I gave Atlassian a university email address a decade earlier as verification of my faculty status. Apparently Atlassian gave control of my private account to someone else - and they weren’t willing to tell me anything about it.

After emailing the people they listed as contacts, I found out that Atlassian had silently taken ownership of all my repos away from me. They had given them to someone at K-State I had never heard of. That person had full authority to lock me out of my account, read all my content, and delete anything they wanted.

Is that really the kind of company you want to trust with your data?

If there hadn’t been a bug in the software that stopped me from logging in, I would never have known that they gave all my data to someone else. As a professor, the first thing I thought about was a potential FERPA violation. I can’t think of any student data I ever put into a Bitbucket repo. It’s easy to imagine someone calculating grades inside a Bitbucket repo and pushing it to the server for storage. I mean, it’s a Git repo, with its super-duper security so that companies can trust it with their most precious code. That would seem to be as secure a place to store student data as you can find.

Doesn’t Atlassian have any safeguards in place to prevent this from happening? Wasn’t there a single person in their whole organization that pointed out that it would be bad to silently give full ownership of someone’s private data to another person?

Trusting Atlassian with any of your data as a professor looks like an imminent FERPA violation. If you want full details, you can see what Atlassian tells me if I try to sign up for a paid Trello account:

Welcome to Trello! Just a quick heads up about your account: since you signed up with a k-state.edu email, kstate has made you a part of their group.

Here’s what that means:

  • This account should only be used for kstate.
  • If you’d like to use Trello for things other than work for kstate, we recommend creating a new free account with a personal email address.
  • kstate admins are able to edit your profile and deactivate or delete your account.
  • Your Trello + Atlassian profile is how you’ll appear in Trello and possibly to the public, depending on your privacy settings.

I’m not talking about a free account. These conditions apply to someone that pays for a standard or premium account. Even if you pay for your account, you can’t own your data. Someone else is free to read it all and delete your account if you’re not following their rules.