Close this search box.

Session Identity Protection

How Atlassian automates its response to stolen customer cookie data found on the dark web

Logo: Atlassian


Today, malware-infected customers pose one of the highest risks to businesses – and businesses often have the least visibility into this particular problem. As cybercriminals increasingly leverage stolen cookie data exfiltrated by malware, Atlassian needed a scalable way to identify exposures and automatically invalidate compromised sessions to protect its customers.


With Session Identity Protection, Atlassian now protects its more than 250K cloud customer accounts from session hijacking, automatically, with zero operational overhead.

Atlassian’s team collaboration and productivity software, which includes Jira, Confluence, and Trello, helps teams around the globe get work done. More than 250,000 cloud customers across large and small organizations – including Bank of America, Redfin, NASA, Verizon, and Dropbox – use Atlassian’s products.

With so many customers accessing its tools daily, how does a company like Atlassian stay ahead of evolving threats that can impact their business? For Niels Heijmans, Principal Security Intelligence Analyst, his approach to consumer risk protection took a happy turn three years ago when he came across SpyCloud’s account takeover prevention solutions.

He started by implementing SpyCloud Consumer Account Takeover Prevention to gain visibility into his customers’ breach exposure and stolen credentials to protect against traditional account takeover. Now, a few years later, he’s tackling the next generation of attacks, too, by adopting SpyCloud’s Session Identity Protection to identify exposed session cookies and invalidate them before criminals can use them for session hijacking.

“Our customers are everything to us. We have a core value around protecting them at all costs. So by adding Session Identity Protection to the rest of our SpyCloud instance, we basically get rid of the threat of account takeover, whatever the source – which means our customers and their data are safe.”

Atlassian’s outcomes with SpyCloud, by the numbers


customer organizations identified as having exposed session cookies


authentication cookies invalidated


individual user accounts protected from follow-on attacks


hours saved per month due to detection and response efficiencies 

*Data represents an 11-month time period

Addressing the next big threat: Session hijacking with stolen customer cookies

A stolen cookie from a web session, when put in the wrong hands, can allow bad actors to bypass all forms of authentication – from passwords to multi-factor authentication (MFA) and even passkeys – to assume the access of an authenticated user. Session hijacking originates from the takeover (or “hijack”) of an active browser or application session using a stolen, still-valid authentication cookie where the criminal appears as a verified clone of a legitimate customer.

Criminals leverage these active sessions to gain access to customer accounts and steal sensitive data. Last year alone, SpyCloud researchers recaptured 22 billion stolen cookies from malware records, which indicates criminals are increasingly stealing, buying, and trading fresh cookie data that comes with a high likelihood of account takeover success.

“Almost everyone is aware that bad actors are stealing passwords. But I don’t think a lot of people realize that MFA alone isn’t enough to protect users against account takeovers. Session hijacking is still very new – but for Atlassian, it’s become high on our radars. As long as a cookie stays valid, the gate to that consumer’s account remains wide open,” say Niels.

Today, 39% of organizations don’t terminate session cookies at the sign of exposure. Atlassian, with the help of Session Identity Protection, is ahead of the curve. Niels has already gone to work, leveraging automation to invalidate 41,000 stolen authentication session cookies to proactively protect almost 38,000+ customer accounts in 2023.

Early stolen cookie detection means no more panic, no more fire drills

Because its user base is so large, the Atlassian security team is used to frequent notifications and alerts about data exposure concerns. In the past, they didn’t always have answers, and the team had to manually verify problems, do lengthy investigations, and then determine an appropriate response. The team was expending extra resources in repetitive detection and response work. With SpyCloud, Atlassian’s analysts save 160 hours of repetitive work per month – no longer needing to manually parse, validate, and deactivate sessions due to higher-fidelity alerts and automation workflows.

Additionally, because SpyCloud continuously ingests and analyzes stolen cookie data from the deepest layers of the darknet daily, all that data is recaptured very early in the attack timeline. The fresh data insights are made available to Atlassian through Session Identity Protection. Niels says, “Now, when we’re notified of a concern by another team or tool internally, it’s just a quick check for us. And odds are, we already acted on that data three months ago, when SpyCloud found it for us first.”

How it all works

Atlassian integrated SpyCloud with their existing tool stack to create an automated workflow for invalidating stolen session cookies. Says Niels, “SpyCloud is actually the benchmark of success for all of our third-party integrations. The integrations with our SIEM platform and ticketing tools are so seamless that we use them as a comparison point across our entire tool stack.”

For Atlassian, the setup and integration process was simple to deploy, and is serverless with zero required maintenance. It’s very much a ‘set it and forget it’ scenario for Niels’ team. Here’s what it looks like:

Pull enriched Session Identity Protection data via SpyCloud’s API into existing service.


Atlassian’s automated workflow automatically revokes all active sessions on every device for an identified, exposed user.


….Get back to other work, with the confidence that customers are being continuously protected.


Atlassian invalidates all known compromised sessions for impacted users on the back-end automatically, but they’ve also given their customers added visibility into the problem and offer additional countermeasures directly via their in-app Credential Invalidator functionality. Now, when Atlassian customers reset a forgotten password or proactively change a password, they also automatically get logged out of the active session used to change the password. Customers who have admin credentials can also configure the idle session timeout or reset all sessions for a configured authentication policy.


Real-time, high-fidelity alerts
Definitive evidence of exposures
Automated workflows
Easy integrations with existing tools
Significant resource and time savings

Fast protection for threat vectors, new and old

As cybercriminals evolve their account takeover tactics beyond traditional use of credentials, Atlassian has peace of mind knowing they are keeping pace with the next generation of threats. By leveraging SpyCloud Session Identity Protection, Niels feels confident that they are sticking to their core company value of protecting their customers.
“With Session Identity Protection, we’re protecting our customers as proactively as possible in today’s threat landscape. SpyCloud gives us the speed we need to act fast – before an attacker has the chance to abuse stolen cookies. The impact has been huge for us.”

About SpyCloud Session Identity Protection

SpyCloud identifies infected consumers and monitors malware logs for compromised session cookies tied to your application that can be used for session hijacking – alerting your business so you can act quickly to protect these high-risk accounts.
Learn more about SpyCloud Session Identity Protection.

Download the PDF version of the case study

Meet SpyCloud at Black Hat — Booth #4424!   Book a meeting →

Close this search box.