We recently learned that users of Bitbucket Cloud who generated their SSH key(s) using GitKraken versions 7.6.0-8.0.0 could be subject to a vulnerability that results in the creation of duplicate keys. The developers of the GitKraken app reached out to Bitbucket Cloud when they discovered that their software was generating duplicate RSA keys and informed us that the bug was fixed in version 8.0.1 of their software. This was not a result of a compromise, data breach, or other data exposure event of the Bitbucket Cloud products and services. More information can be found here www.gitkraken.com/blog/weak-ssh-key-issue-fix.
In an effort to protect our customers, Bitbucket Cloud launched an investigation to identify weak keys as well as any signs of unauthorized access to repositories. We found no evidence that any customer data has been compromised.
Bitbucket Cloud has revoked keys that were identified to be weak as well as adding them to a blocklist preventing future use. If you own one of the keys that were revoked, you should have received an email notification with instructions to generate a new key.
We recommend that users of GitKraken update to the latest version and generate new keys.
