At first blush, three observations:
- 30 day cookies - that leaves a pretty big window of opportunity that seems mostly driven by "user experience." I suspect the driver is integration with a mobile app. We're used to logging in/using password managers with a web browsers, but in thumb-click rush of the mobile experience, we demand more authentication persistence.
- Email addresses buried in the cookie - All a cookie should be is some random ID that can then be married to a database. There is no need to store such identifying data ... UNLESS you are trying to do tracking with partners or something similar.
- 2FA - No, it doesn't seem to be 2FA. This seems to be shortcut authentication where if you have the token you don't have to use an additional means of authentication.
Still, all of this seems more proof of concept (maybe I missed something), but seems like CloudSek hacked itself (using its own cookies). Fundamentally, the issue is is there anything in these Atlassian applications that give up their cookies? I don't see that reported (although, apparently Atlassian cookies can be found for sale) While it is true that if someone gets their hands on a device, they then can get access to someone's cookies, if they have that kind of access, they can also get at password managers and the like. It's kind of game-over at that point anyway. I don't know if this all warrants alarm, but there certainly seem to be teachable and fixable moments here.