On May 28, 2021, the Bitbucket Cloud support team were made aware of an intermittent issue wherein users collaborating on private repositories were able to mention users from other workspaces on pull request comments.
During our investigation of this issue, Atlassian engineers were able to identify the root cause as a minor bug that would sometimes cause the requests made to the user search service to not specify that results should be filtered to exclude users without access to the repository. This would previously result in an error from the user search service; but a recently deployed change modified this behavior to treat these requests as unscoped requests and search all users. This is equivalent to what happens when you start to mention another user in a pull request comment for a public repository.
It is important to note that this bug, while understandably surprising, did not result in any unauthorized access to sensitive data. For users whose names appeared in mention lists, the only data that was shown was data that those users had already opted to be public as part of their Atlassian account profile. For users trying to mention other users, no unauthorized access was granted to their private repositories; i.e. mentioning an unauthorized user on a private repo does not grant them access nor does it send them any notifications.
We will be addressing the bug resulting the unscoped requests as soon as possible. In the meantime, the user search service change has been rolled back, which should eliminate any further confusion or inconvenience caused by this issue until the root cause is resolved.