Anyone with an issues.apache.org account is probably already aware there is an exploit out there for JIRA. Apache and Atlassian have both had servers compromised. More info: https://blogs.apache.org/infra/entry/apache_org_04_09_2010 If you've signed up for a public JIRA server (or run one) and it wasn't a password you only used for that, you should probably think about proactively changing it anywhere else you use it. The passwords are hashed, but JIRA uses a random site wide salt, so it'll take time but eventually they could figure them all out. It's actually could have been a pretty clever exploit, go after developers who are more likely to have accounts with one of the cloud providers. Use the accounts to launch instances and use the instances to generate password tables, compromise more accounts, launch more instances.... I'm lazy and the password I used on the Apache JIRA was one I used a few other places. I knew it was a bad idea, but I did it anyway. I've learned my lesson and spent the whole night changing my passwords and getting them all in 1password on my mac on iphone. There's no reason to believe that my password has been compromised yet, but it's better to be safe than sorry. Now my passwords are all randomly generated, really long with letters, numbers and symbols.