lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Atlassian Bitbucket

AtlassianCI/CD5 credentials

Credentials5 documented
01

Database Password

atlassian-bitbucket / database-password

Bitbucket Data Center stores external database connection details in bitbucket.properties under the Bitbucket home directory. Atlassian documents that the database username and password are stored there after database migration.

user definedsecretusername/password

Looks like

pattern
pattern

Bitbucket database connection property; the password value is the operator-supplied database credential and has no fixed shape

^jdbc\.(user|username|password)\s*=\s*[^\r\n]*$

Location

config file
$BITBUCKET_HOME/shared/bitbucket.properties

shared home properties file for Bitbucket Data Center

build artifact

Bitbucket home backups, migration exports, database-migration dump bundles

Notes

Database access can expose repositories metadata, pull request data, user directory state, plugin configuration, and stored integration state. The Bitbucket home directory and its backups should be treated as credential-bearing artifacts.

02

Local User / Administrator Password

atlassian-bitbucket / local-user-admin-password

Bitbucket local users, including administrators created by setup or by operators, authenticate with passwords stored in the configured user directory. For the internal directory, password material is database state rather than a plaintext file in Bitbucket home.

user definedsecretusername/password

Looks like

pattern
pattern

internal-directory password material in Atlassian user tables; the value has no Bitbucket-specific textual prefix and is identified by table and column context

cwd_user.*credential
pattern

raw Basic-auth username:password form used by Git over HTTPS or REST clients before Base64 encoding; context identifies Bitbucket

[^\s:@]+:[^\s:]+

Location

database

internal user directory tables, including cwd_user credential data

public interface
/login

Bitbucket web login for local users and administrators

public interface

Git over HTTPS and Bitbucket REST API Basic authentication

source code

legacy scripts, Git remote URLs, and integration configs

Notes

There is no universal shipped Bitbucket administrator password. The setup flow or an operator creates administrator credentials, and later users may come from local, LDAP, Crowd, SSO, or other configured directories.

03

Data Center HTTP Access Token

atlassian-bitbucket / data-center-http-access-token

Bitbucket Data Center HTTP access tokens can be created for users, projects, and repositories. Atlassian documents them as replacements for passwords in Git over HTTPS and REST API authentication.

user definedsecrettoken

Looks like

pattern
pattern

project and repository HTTP access tokens use Bearer authentication; no documented Bitbucket-specific prefix identifies the opaque token itself

Authorization:\s*Bearer\s+[^\s]+

Location

environment
BITBUCKET_TOKEN, BITBUCKET_ACCESS_TOKEN
source code

Git remotes, automation scripts, CI configuration, deployment tooling

logs

Git and REST client debug logs when Authorization headers are printed

secret store

CI/CD secret stores and deployment variables

Notes

User tokens, project tokens, and repository tokens have different scopes and permissions. Project and repository tokens must be used with Bearer authentication rather than as a username/password pair.

04

Bitbucket Cloud API Token / App Password

atlassian-bitbucket / cloud-api-token-app-password

Bitbucket Cloud API tokens and legacy app passwords are user-scoped tokens for scripts, CI/CD tools, and Git or API access. Atlassian documents API tokens as the long-term replacement for app passwords.

user definedsecrettoken

Looks like

pattern
pattern

raw Bitbucket username:token form used by Git or curl before Basic-auth encoding; the token itself has no documented fixed prefix

[^\s:@]+:[^\s:]+
pattern

Base64-encoded Bitbucket Cloud username and API token or app password; decode context is required to identify the credential

Authorization:\s*Basic\s+[A-Za-z0-9+/=]+

Location

source code

Git remote URLs, build scripts, Terraform providers, deployment automation

environment
BITBUCKET_USERNAME, BITBUCKET_APP_PASSWORD, BITBUCKET_API_TOKEN
config file
~/.git-credentials

Git credential helper storage for HTTPS remotes

secret store

pipeline variables and cloud secret managers used by integrations

Notes

These credentials are tied to an individual Bitbucket Cloud account and inherit the scopes selected at creation. Treat a leaked token according to both its scopes and the repositories or workspaces reachable by the account.

05

SSH Private Key

atlassian-bitbucket / ssh-private-key

Bitbucket Data Center and Bitbucket Cloud support SSH keys for Git access. Users add public keys to Bitbucket; the private key remains on the client, build agent, deployment server, or CI secret store.

user definedsecretkey pair

Looks like

pattern
pattern

identified by the PEM/OpenSSH private-key header; full private keys are multi-line and not useful as compact specimens

-----BEGIN (OPENSSH|RSA|EC|DSA) PRIVATE KEY-----

Location

config file
~/.ssh/id_*, ~/.ssh/*_bitbucket*

developer machines, build agents, and deployment hosts

secret store

CI/CD variables and deployment-platform SSH key stores

source code

accidentally committed deployment keys or local test keys

Notes

The private key's blast radius is defined by the Bitbucket account, repository access key, or deployment workflow that trusts the public key. Read/write keys can push code and are supply-chain sensitive.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.