by stygiansonic on 5/16/2023, 1:37:07 AM
by MelmanGI on 5/16/2023, 4:23:21 AM
Strange response in my opinion. They seem to explain step by step how to add trust for the new keys, but fail to explain how to remove trust for the old leaked keys.
Am I missing something?
The key parts
We recently learned that encrypted copies of Bitbucket’s SSH host keys were included in a data breach of a third-party credential management vendor. The SSH protocol uses host keys to establish the identity of a trusted server for every SSH connection, like when a git pull establishes a SSH connection to Bitbucket Cloud.
In response, Bitbucket issued two new SSH host keys today and will be replacing the current host keys on June 20, 2023. Please review this blog and complete the applicable steps outlined below as soon as possible.
I'm not a security expert, but isn't it concerning that their SSH host private key was even accessible this way? (In a "third-party credential management vendor")