⚡ Engineering War Stories from the Trenches

When Big Tech Breaks
& How They Fix It

The postmortems they published. The outages they survived. The fixes that saved millions of users. Read the real story — not the press release.

Case Studies

Companies

∞

Things Broke

100%

No Fiction

Netflix Chaos Engineering

Netflix Unleashed a Monkey With a Weapon in Its Own Data Center — On Purpose

It was 2011 and Netflix had just migrated hundreds of microservices to AWS. Their architecture was distributed, horizontally scaled, and theoretically fault-tolerant. But theory and production are different things. The only way to know if a system could survive failures was to cause failures — constantly, deliberately, during business hours, and in production. So they built a monkey.

July 19 2011 blog published Business-hours instance killing 10 Simian Army members +3

Read full story →

Hotstar Live Streaming

When MS Dhoni Got Out: How Hotstar Survived 25 Million Concurrent Users

July 9th, 2019. India vs New Zealand, Cricket World Cup semi-final. MS Dhoni walks to the crease and 1.1 million new viewers join Hotstar every single minute. Then he gets run out — and 24 million people hit the back button almost simultaneously.

25.3M peak concurrent 1.1M users/min growth 5.7 Tbps bandwidth +3

Read full story →

GitHub Databases

How GitHub Upgraded 1200 MySQL Hosts Without Dropping a Single Query

MySQL 5.7 was hitting end-of-life, and GitHub's production database fleet spanned 1,200 hosts, 300 terabytes of data, and 5.5 million queries every second. Getting from here to MySQL 8.0 without disrupting 100 million developers was going to take more than a weekend.

1,200+ MySQL hosts upgraded 300+ TB data migrated 5.5M queries/sec maintained +3

Read full story →

Slack Reliability

Slack Built a Big Red Button to Drain an Entire Data Center in Five Minutes

On June 30, 2021, a network link connecting one AWS availability zone failed — and Slack users felt it, despite Slack running in multiple availability zones. The postmortem question was brutal: why did a single AZ failure affect users at all? The answer drove 18 months of architecture work.

2021-06-30 AZ outage trigger 1.5 years migration time AZ drain in <5 minutes +3

Read full story →

Cloudflare Reliability

Cloudflare Fixed a React Security Vulnerability and Broke the Entire Network

In late 2025, Cloudflare was rolling out a fix for a React security vulnerability. To do so, they needed to disable an internal testing tool with a global killswitch. The killswitch, unexpectedly, triggered a bug that sent HTTP 500 errors across Cloudflare's entire global network. This was the third major configuration-related global outage in two years.

Dec 2025 global outage React CVE fix triggered outage Global killswitch bug +3

Read full story →

LinkedIn Messaging

LinkedIn Needed a Message Queue. They Built the One the Entire Internet Runs On.

In 2010, LinkedIn was drowning in data it couldn't move. Every ML model, every recommendation engine, every real-time feature was starving because there was no reliable way to get activity data from the website into the systems that needed it. Jay Kreps, Jun Rao, and Neha Narkhede spent a year building a fix. They named it after Franz Kafka. The rest of the internet adopted it.

1B events/day at launch (2011) 1T messages/day by 2015 7T messages/day by 2019 +3

Read full story →

Discord Databases

How Discord Migrated Trillions of Messages and Fired Their Garbage Collector

It is 2022 and Discord's on-call engineers are babysitting a 177-node database cluster, manually rebooting nodes after Java GC pauses spiral out of control. The system holding every message ever sent is becoming the thing everyone fears touching most.

177 → 72 nodes p99 latency 15ms (was 40–125ms) 9-day migration (was 3-month est.) +3

Read full story →

Discord Reliability

Discord Killed the MacBook Dev Environment and Never Looked Back

Discord's engineering team had tripled in size and was drowning in a swamp of 'works on my machine' bugs — some engineers running macOS, some Ubuntu, all of them slowly. The solution was radical: no one gets a local dev environment anymore.

3x engineering org growth Mac→V1→V2 (two migrations) Began 2020, V2 done 2023 +3

Read full story →

Netflix Distributed Systems

Netflix Hit the AWS Instance Ceiling and Built a Workflow Engine That Scales Forever

Netflix's Meson orchestrator was handling hundreds of thousands of daily data and ML jobs — and running out of machine. Vertically scaling on AWS had a hard ceiling, and the workflows were doubling in size every year. The only way out was a complete architectural rethink.

2M+ jobs/day at peak Hundreds of thousands of workflows Meson → Maestro 2020 +3

Read full story →

Slack Reliability

Slack's Worst Day: When a Better Cache Manager Made Everything Worse

On February 22, 2022, Slack went down for many users — including the engineer designated as Incident Commander, who was authoring the postmortem from a position of personal experience. The culprit was a new component that worked exactly as designed.

Feb 22 2022 outage Consul rollout to 75% of fleet Cache hit rate collapsed +3

Read full story →

Stripe Databases

How Stripe Moves Petabytes Between Database Shards Without Stopping the Money

Stripe processed over $1 trillion in payment volume in 2023 while maintaining 99.999% uptime — five nines, fewer than 6 minutes of downtime all year. The infrastructure secret is a database platform called DocDB and a migration engine that moves petabytes of financial data between shards without any application knowing it happened.

$1T+ payment volume 2023 99.999% uptime achieved 5M database queries/sec +3

Read full story →

Slack Distributed Systems

Slack Rewrote Its Core Architecture for Enterprise — Because the Old One Was a Lie

Slack was built for teams in single workspaces. Enterprise customers were using it across dozens of workspaces simultaneously — and the architecture had never been designed for that. Every major enterprise feature was a workaround on top of a foundation that assumed one workspace per person. Slack spent two years rebuilding the foundation.

2 years development time Workspace-centric → org-wide Thousands of APIs refactored +3

Read full story →

Slack Reliability

Slack Cut Deploy-Related Customer Impact by 90% in Eighteen Months

73% of Slack's customer-facing incidents were being triggered by Slack itself — by its own code deploys. The team stopped treating each outage as a one-off and started treating deploy safety as a program, with metrics, milestones, and automated rollbacks. Eighteen months later, customer impact hours were down 90%.

73% incidents from own deploys 90% reduction in impact hours Manual → automatic rollbacks +3

Read full story →

Atlassian Reliability

How a Two-Line Script Silently Deleted 883 Customer Cloud Sites

At 07:38 UTC on April 5th, 2022, a maintenance script begins its run — methodical, peer-reviewed, totally routine. Twenty-three minutes later, 883 Atlassian Cloud sites have been permanently deleted, and the company's own incident management tool, Opsgenie, is one of the casualties.

883 sites deleted 14 days max outage 775 customers affected +3

Read full story →

Netflix Live Streaming

65 Million Streams: How Netflix Rebuilt Its Guts for Live

November 15, 2024: 65 million people log on to watch Mike Tyson fight Jake Paul, the largest live sports stream in history. Behind the scenes, Netflix engineers are white-knuckling a system they built from scratch — one where a single bad video segment, a CDN request storm, or a missed 2-second write deadline means millions of viewers see a black screen.

65M concurrent streams 113ms → 25ms p50 latency 200Gbps+ read throughput +3

Read full story →

Stripe Performance

Stripe Converted 3.7 Million Lines of JavaScript in One Pull Request on a Sunday

On Sunday, March 6, 2022, Stripe merged a single pull request that converted their entire largest JavaScript codebase from Flow to TypeScript. 3.7 million lines of code. Hundreds of engineers arrived Monday morning to start writing TypeScript. The migration had been invisible until it wasn't.

3.7M lines converted in 1 PR Single Sunday deploy Largest JS codebase at Stripe +3

Read full story →

GitHub Reliability

The Test That Broke GitHub: A Failover Drill Goes Live

June 29, 2023, 17:39 UTC: GitHub engineers initiate a planned live failover test of their brand-new second Internet edge facility — six months of infrastructure work designed to eliminate a single point of failure. Within seconds, instead of validating their redundancy, they've created an outage that takes GitHub offline for millions of developers across North America and South America.

32-minute outage 2-min detect-to-revert US East + South America +3

Read full story →

Shopify Databases

Shopify Sharded a Rails Database With Vitess and the App Never Knew It Happened

The Shop app was growing exponentially. Its single MySQL database was approaching vertical scaling limits. Shopify needed horizontal sharding — but they had a Rails monolith that expected a single database, and a system that couldn't have downtime during a commerce platform used by millions daily.

KateSQL → Vitess migration user_id as sharding key VTGate transparent to app +3

Read full story →

Shopify Databases

Shopify's Engineers Hunted Deadlocks at 19 Million Queries per Second

During Black Friday and Cyber Monday 2023, Shopify's MySQL fleet was handling 19 million queries per second. At that scale, even rare deadlock patterns become common enough to cause real incidents. The engineering team published a detailed playbook for diagnosing and eliminating MySQL deadlocks in high-concurrency production environments.

19M MySQL QPS at BFCM peak 58M requests/min app servers 99.999%+ uptime maintained +3

Read full story →

Cloudflare Reliability

Cloudflare's Datacenter Partner Failed and the Control Plane Went Dark for 40 Hours

On November 2, 2023, Cloudflare's primary datacenter partner experienced a power failure. The control plane — the system that lets customers configure DNS, firewall rules, and every Cloudflare service — went dark. It stayed dark, in various forms, for nearly 40 hours. The postmortem introduced a concept Cloudflare hadn't had before: Code Orange.

Nov 2–4 2023 outage ~40 hours control plane down Flexential datacenter failure +3

Read full story →

Cloudflare Reliability

A Database Permission Change in ClickHouse Took Down 28% of Cloudflare's HTTP Traffic

On November 2, 2023 — the same day as the control plane datacenter failure — Cloudflare also experienced a separate six-hour global outage. The cause: a database permission change in ClickHouse generated a corrupt configuration file that was silently propagated to every server in Cloudflare's Bot Management system, crashing it globally.

Nov 2 2023 outage 28% HTTP traffic impacted 6 hours total duration +3

Read full story →

Netflix Performance

Netflix Made Their Workflow Orchestrator 100x Faster by Rewriting the Engine Nobody Thought Was Slow

Maestro had been running Netflix's data and ML workflows successfully for two and a half years. Then Live, Ads, and Games drove sub-hourly scheduling requirements that revealed the orchestrator's overhead — not in crashes or alerts, but in slow step launches that nobody had measured. The fix was a complete engine rewrite that delivered 100x throughput improvement.

100x throughput improvement 2.5 years before overhead visible Sub-hourly scheduling trigger +3

Read full story →

Netflix Performance

Netflix's Containers Were Fighting Their Own CPUs — and Losing

Netflix ran millions of containers per day on modern multi-core CPUs. The containers performed well on benchmarks. In production, under certain workloads, they were mysteriously slower than expected — slower than the hardware should have allowed. The culprit was CPU topology: the operating system was scheduling container workloads in ways that violated modern CPU cache architecture. They called the investigation 'Mount Mayhem.'

Mount Mayhem investigation Modern multi-core CPU topology NUMA and cache locality +3

Read full story →

Netflix Reliability

Netflix Streamed Live Sports for Millions — and the Hard Part Wasn't the Video

When Netflix began streaming live events — boxing, NFL games, comedy specials — the engineering challenge wasn't encoding or delivery. It was building the human infrastructure: the operations team, the escalation paths, the real-time decision systems, and the runbooks that let engineers respond to live event failures in seconds, not minutes.

Live events at Netflix scale Sub-second escalation paths NFL Christmas Day 2023 +3

Read full story →

Figma Databases

Figma's Database Grew 100x in Four Years — Here's How a Small Team Kept It From Toppling

In 2020, Figma ran on a single Postgres instance on AWS's largest available machine. Four years later, that database had grown nearly 100x. Some tables had swelled to several terabytes and billions of rows. The Postgres vacuum process — the background job that keeps Postgres alive — was causing reliability incidents. They had months of runway left before hitting the IOPS ceiling. A small databases team had nine months to fix it.

100x DB growth since 2020 Single instance → horizontal shards 9-month migration +3

Read full story →

Datadog Reliability

Datadog Went Dark for 24 Hours and Came Back With a Different Philosophy

On March 8, 2023, Datadog — the platform engineers use to know when their own infrastructure is broken — broke. For more than 24 hours, across five regions on three cloud providers, metrics stopped arriving, logs disappeared, and dashboards showed nothing. The people whose job was to fix it couldn't see what was happening. It cost $5 million. It changed how Datadog thinks about building software.

24h+ global outage $5M revenue loss 50–60% Kubernetes nodes lost +3

Read full story →

OpenAI Databases

OpenAI Runs ChatGPT for 800 Million Users on One PostgreSQL Instance — and It Works

ChatGPT has 800 million users. It handles millions of database queries per second. And it runs on a single primary PostgreSQL instance on Azure — one writer, backed by about fifty read replicas. No sharding. No distributed SQL. Just Postgres, pushed further than almost anyone thought possible through obsessive optimization and ruthless operational discipline.

800M users, 1 primary PG instance ~50 read replicas globally Millions of QPS, p99 <20ms +3

Read full story →

Uber Security

Uber Had 150,000 Secrets Scattered Across 25 Vaults — So They Built One Platform to Rule Them

150,000 secrets. 25 separate vaults. Hundreds of teams managing their own credentials in their own ways, some in plain text in version control. At Uber's scale — 5,000 microservices, 5,000 databases, 500,000 analytical jobs per day — secrets sprawl is not a compliance problem. It is an incident waiting to happen. A team of ten engineers decided to fix it.

150,000 secrets managed 25 vaults → 6 managed vaults 5,000 microservices secured +3

Read full story →

Shopify Reliability

The 80% Problem: Why Getting an LLM System to 'Works in Demo' Is 20% of the Work

Every team building with LLMs discovers the same brutal truth: 80% quality arrives in a few weeks. The final 15% — the gap between 'impressive demo' and 'product I'd trust with my customers' — takes the rest of the time. Shopify's Flow agent and Sidekick teams lived this curve and came back with a systematic playbook. It is mostly about measurement.

LLM judge: 0.02 → 0.61 Kappa 300-example hand-crafted benchmark Production mirroring closes gap in 2 weeks +3

Read full story →

Atlassian · Reliability

How a Two-Line Script Silently Deleted 883 Customer Cloud Sites

The Story

The script we used provided both the 'mark for deletion' capability used in normal day-to-day operations (where recoverability is desirable), and the 'permanently delete' capability that is required to permanently remove data when required for compliance reasons.

— Sri Viswanath, CTO — via Atlassian Engineering Blog, April 2022

In 2021, Atlassian completed the acquisition and integration of a standalone app called Insight – Asset Management into Jira Service Management as native functionality. The standalone version was now obsolete and needed to be retired from the 200,000+ customer cloud sites that had it installed. An engineering team wrote a cleanup script using an existing deletion process — nothing unusual, nothing new. What happened next would become the longest and most public cloud outage in Atlassian's history. The seeds were sown not in a line of code, but in a conversation between two teams separated by function, timezone, and context.

The deletion API that powered the script accepted two types of identifiers: app IDs to remove a specific product installation, and site IDs to remove an entire customer workspace. Both were valid inputs. The API assumed the caller knew which they were passing and offered no type-checking, no confirmation prompt, no dry-run mode. The team requesting the deletion provided the IDs of the cloud sites where the app was installed — not the IDs of the app instances themselves. The executing team, receiving a list of IDs and a known-good script, ran it. was not used; the script took the permanent deletion path instead. The script completed its run from 07:38 to 08:01 UTC on April 5th, 2022.

The entire deletion ran in just 23 minutes. Because it executed through standard provisioning workflows, Atlassian's internal monitoring detected nothing — the system behaved exactly as designed. The first signal of disaster came not from dashboards, but from a customer support ticket filed at 07:46 UTC.

Problem

Silent Deletion

At 07:38 UTC, the cleanup script begins sequentially deleting sites from a list of 883 IDs. Because deletions pass through the standard Cloud Provisioner workflow — the same pathway used for day-to-day operations — internal monitoring fires no alert. At 07:46 UTC, the first customer support ticket arrives: Jira, Confluence, Opsgenie, and Statuspage are all unreachable.

Cause

Wrong IDs, No Guard

At 08:53 UTC, engineers confirm the link between the script run and the deletions. The communication gap is clear: team A passed instead of app IDs to team B. The deletion API, designed to accept both types without validation, assumed correctness. The script used the permanent delete path, not the soft-delete path, meaning no data was retained in recoverable staging — it was gone from production immediately.

Solution

Two Approaches to Rebuild

Restoration 1 — creating brand-new sites and migrating data across — took approximately 48 hours per batch and required 70 sequential steps including re-mapping immutable Cloud IDs across every third-party ecosystem app. On April 9th, the team proposed Restoration 2: re-creating records using the original site identifiers, cutting the process to ~30 steps and ~12 hours per site. An engineering-wide code freeze was imposed on April 8th to eliminate risk of compounding incidents.

Result

Full Restoration, Hard Lessons

The final affected customer was restored on April 18th — 13 days after the incident began. Atlassian met its Recovery Point Objective of one hour: no customer lost more than five minutes of data. The company permanently blocked bulk site deletes, mandated soft-delete policies across all systems, and committed to automated multi-site disaster recovery testing as a regular operational exercise.

What made the outage uniquely brutal was its second-order effect: the script that deleted customer sites also deleted the contact information for those customers. Atlassian's support systems required a valid Cloud URL and Atlassian ID to file a ticket — and both were gone. Customers couldn't reach support, and Atlassian couldn't reach customers. The company had to reconstruct contact lists from billing systems, prior support tickets, and manual outreach before they could even begin coordinating restoration. The multi-tenant architecture — where data from multiple customers lives in shared storage shards — meant that a global rollback was not an option. Restoring any individual site required surgically extracting and replaying that customer's records without disturbing the data of the thousands of other tenants sharing the same database.

The Irony That Hurt Most

Among the 883 deleted sites were Atlassian's own internal instances — and Opsgenie, the company's own incident management product. The team managing the worst outage in Atlassian history had to do it without their primary incident tracking and alerting tool. The cobbler's children had no shoes.

THE HACKER NEWS SIGNAL

As Atlassian remained largely silent for the first nine days, the outage trended on Hacker News. The highest-voted comment, from someone claiming to be a former Atlassian employee, alleged that internal monitoring was poor and that more than 50% of incidents were customer-detected. Atlassian neither confirmed nor denied the claims — but the silence amplified the speculation. On Day 9, they finally confirmed what the community had already guessed: the Insight plugin retirement script was the cause.

At peak response, the recovery involved 450+ support engineers running 24/7 shifts across global timezones, manually validating each restored site before handing it back to the customer. The team created a dedicated Jira project — SITE — with a custom workflow to track restoration progress site-by-site across engineering, program management, and customer support. The Restoration 2 breakthrough, when it came on Day 4, was the turning point: by re-using original site identifiers, the team could eliminate the most time-consuming step — re-mapping immutable IDs across third-party app integrations — and cut site recovery time from 48 hours to 12. The final site was restored on April 18th. Every customer got their data back.

Recovery Point Objective: Met

Despite the scale, Atlassian met its one-hour RPO — most customers lost at most five minutes of data. The combination of full backups plus point-in-time incremental backups, retained for 30 days, made this possible. What they missed was the RTO: restoring 775 customers took 13 days, not hours.

Peer review caught the endpoint. It just didn't ask what the IDs were for.TechLogStack — built at scale, broken in public, rebuilt by engineers

The Bigger Context: Server Sunset Pressure

This incident occurred at a critical business moment: Atlassian had announced the end-of-life for its on-premises Server product, actively pushing customers toward the Cloud. The 14-day outage landed directly on top of that migration narrative, giving every enterprise customer a live, public data point about versus self-hosted control.

The Fix

13d

Duration from first deletion (April 5) to final site restored (April 18) — the longest outage in Atlassian's history

<5 min

Maximum data loss per customer — Recovery Point Objective met, despite missing Recovery Time Objective by days

~70 → 30

Restoration steps reduced from Approach 1 to Approach 2, cutting site rebuild time from 48 hours to ~12 hours

450+

Support engineers running 24/7 manual validation shifts globally at peak incident response

Recovery began in three parallel workstreams the moment the root cause was confirmed on Day 1. The first workstream assembled a manual team to hand-walk through the restoration steps for individual sites, validating each one. The second workstream raced to automate those same steps so they could be run safely in large batches. The third — the one that ultimately broke the logjam — was a full rewrite of the restoration approach itself. Restoration 1 created brand-new sites with fresh Cloud IDs, requiring all downstream services and third-party apps to be re-mapped to the new identifiers. This was safe but brutally slow: ~70 steps, ~48 hours per batch, with cascading dependencies that could only run in sequence. Every third-party app in the ecosystem had to be re-integrated. The math told a grim story: this approach would take three weeks to clear the full backlog of 775 customers.

THE BREAKTHROUGH: RESTORATION 2

On April 9th — Day 4 — the team proposed Restoration 2: instead of creating new sites, re-create the deleted records in-place using the original site identifiers. The key insight was that like CloudID were the primary source of complexity in Restoration 1. By preserving them, the team eliminated over half the restoration steps, removed the need to coordinate re-mapping with third-party app vendors, and reduced site recovery from 48 hours to approximately 12 hours. The trade-off: everything automated for Restoration 1 had to be rewritten, and both approaches ran in parallel for days while the new method was tested and validated.

python

# Pseudocode: Restoration 2 — re-create deleted records using original identifiers
# This was the breakthrough that cut recovery time from ~48h to ~12h per site

def restore_site_v2(site_id, restore_point_timestamp):
    # Step 1: Re-create the site record in the Catalogue Service using the ORIGINAL site_id
    # Critical: preserve original cloudId to avoid re-mapping all downstream references
    catalogue.uncreate(site_id, preserve_original_cloud_id=True)

    # Step 2: Restore identity data (users, groups, permissions) in parallel
    # These can run concurrently with database restoration — no sequential dependency
    identity.restore_async(site_id, point_in_time=restore_point_timestamp)

    # Step 3: Restore primary product databases (Jira, Confluence, etc.)
    # Point-in-time recovery to exactly 5 minutes before deletion
    for product in get_site_products(site_id):
        db.restore_to_point_in_time(
            product=product,
            timestamp=restore_point_timestamp,  # 5 min before deletion
            site_id=site_id
        )

    # Step 4: Restore cross-service data (media attachments, app data, feature flags)
    # Can parallelize across services that have no dependencies on each other
    services.restore_parallel(site_id, timestamp=restore_point_timestamp)

    # Step 5: Automated validation — checks all services are healthy for the site
    validation_result = validate_site(site_id)
    if not validation_result.passed:
        raise RestorationError(f"Site {site_id} failed validation: {validation_result.errors}")

    # Step 6: Hand off to customer for final sign-off
    notify_customer(site_id, status='ready_for_validation')

The Root Technical Failure: An API Without Type Safety

The deletion API accepted both app IDs and site IDs as valid inputs and assumed the caller knew which type they were passing. There was no runtime validation to check whether the input ID referred to an app or an entire customer site. A single guard — checking the type of the entity behind each ID before executing permanent deletion — would have surfaced the mismatch before a single site was touched.

Restoration 1 vs Restoration 2 — what changed and why it mattered

Dimension	Restoration 1	Restoration 2
Approach	Create new site, migrate data in	Re-create original records in-place
Site identifiers	New CloudID assigned (immutable IDs changed)	Original CloudID preserved
Steps required	~70 sequential steps	~30 steps with parallelism
Recovery time/site	~48 hours per batch	~12 hours per site
Third-party apps	Every app re-integration required per site	No re-integration needed
Sites restored	112 sites (53% of affected users)	771 sites (47% of affected users)

Four changes were committed as non-negotiable outcomes. First: universal soft-delete across all Atlassian systems — permanent deletion of customer data can only occur after a soft-delete period expires, never directly. Second: automated multi-site, multi-product disaster recovery testing, regularly exercised at scale. Third: a large-scale incident playbook with sub-streams, pre-built tooling, and simulation exercises that go far beyond the single-service incidents Atlassian had historically trained for. Fourth: backup of customer contact data outside the product instance itself, so that a site deletion could never again sever the communication channel needed to coordinate recovery. Every one of these was announced as an immediate action, not a future roadmap item.

Zero Data Loss

Despite the scale and duration, no customer permanently lost data. Thirty-day immutable backups with point-in-time recovery meant the team could always get back to within five minutes of the deletion event. The RPO was met. The RTO was not. That asymmetry — data safe, access gone for two weeks — defined the entire character of the incident.

The Code Freeze Decision

On April 8th, Atlassian imposed a company-wide code freeze — no deployments across all of engineering until restoration was complete. This eliminated the risk of a compounding incident, reduced noise, and allowed the entire engineering org to focus exclusively on recovery without distraction from unrelated changes.

Architecture

To understand why a script deleting 883 sites took two weeks to reverse, you need to understand what an Atlassian site actually is. A site — for example yourcompany.atlassian.net — is not a row in a database. It is a logical container distributed across dozens of services, each maintaining their own slice of state. Identity data (users, groups, permissions) lives in one service. Product databases for Jira, Confluence, and Opsgenie live in others. Media attachments, feature flags, licensing metadata, third-party app configurations — each of these occupies a separate data store. All of it is hosted on AWS and orchestrated through , Atlassian's internal PaaS. The site deletion did not touch a single database — it sent deletion events through the standard provisioning workflow, and every downstream service dutifully removed its copy.

How a site deletion propagated through Atlassian's distributed architecture

flowchart TD script["Cleanup Script\n(site IDs passed instead of app IDs)"] -->|"permanent delete event"| provisioner["Cloud Provisioner\n(AWS SWF orchestration)"] provisioner -->|"tenant destruction event"| catalogue["Catalogue Service\n(site metadata + cloudId)"] provisioner -->|"product deactivation events"| identity["Identity Service\n(users, groups, permissions)"] provisioner -->|"product deactivation events"| jira_db[("Jira Databases\n(per-shard, multi-tenant)")] provisioner -->|"product deactivation events"| confluence_db[("Confluence Databases\n(per-shard, multi-tenant)")] provisioner -->|"product deactivation events"| media[("Media Service\n(attachments, images)")] provisioner -->|"product deactivation events"| opsgenie_db[("Opsgenie\n(incident management)")] provisioner -->|"product deactivation events"| statuspage_db[("Statuspage\n(status communication)")] provisioner -->|"product deactivation events"| commerce["Commerce / Identity\n(billing + contacts DELETED)"] commerce -.->|"contact info gone\u2014no way to reach customers"| support_gap["Support Gap\n(customers cannot file tickets)"] style script fill:#ef4444,color:#fff style support_gap fill:#f59e0b,color:#fff style catalogue fill:#ef4444,color:#fff

WHY A GLOBAL ROLLBACK WASN'T POSSIBLE

The instinctive solution — roll back the entire database to before the script ran — was blocked by the . Each database shard contained data from hundreds of customers, most of whom were completely unaffected. A global rollback would have wiped hours of real work from tens of thousands of innocent customers. The only option was surgical: extract and replay each deleted customer's records individually, from 30-day immutable backups, without touching any surrounding data.

Restoration 2 — re-creating records in-place using original identifiers to avoid re-mapping

flowchart LR backup[("Point-in-Time Backup\n(30-day immutable)")] --> restore_point["Restore Point\n5 min before deletion"] restore_point --> catalogue_restore["1. Re-create Catalogue Record\n(preserve original cloudId)"] catalogue_restore --> parallel_work["Run in Parallel"] parallel_work --> identity_restore["2a. Identity Restore\n(users, groups, permissions)"] parallel_work --> db_restore["2b. Product DB Restore\n(Jira, Confluence, Opsgenie)"] parallel_work --> media_restore["2c. Media Restore\n(attachments, images)"] identity_restore --> services_restore["3. Cross-Service Restore\n(feature flags, apps)"] db_restore --> services_restore media_restore --> services_restore services_restore --> auto_validate["4. Automated Validation\n(health checks per product)"] auto_validate --> customer_validate["5. Customer Sign-Off\n(manual final check)"] customer_validate --> restored(["Site Restored"]) style backup fill:#22c55e,color:#fff style restored fill:#22c55e,color:#fff style catalogue_restore fill:#0052CC,color:#fff

The Missing Layer: Multi-Site Automated DR

Atlassian's disaster recovery had been designed for infrastructure failures — a lost database, a failed availability zone, a corrupted single service. It had never been designed for the scenario of selectively restoring hundreds of customers from shared backups into a live production environment. The capability existed for single-site recovery; it simply hadn't been automated or tested at this scale. The incident forced Atlassian to build, from scratch, the tooling that would eventually become a core part of their DR program.

Micros: The Internal PaaS That Ran the Deletions

Atlassian's Micros platform orchestrates all service deployments, security controls, and provisioning events across their cloud. The deletion script triggered standard tenant destruction events through Micros — which is exactly why monitoring didn't fire. Normal deletions look identical to erroneous bulk deletions from an observability perspective when the system has no input validation at the API layer.

Lessons

Thirteen days of outage, 450 engineers, two restoration approaches from scratch — and all of it began with two teams that didn't fully understand what IDs they were exchanging. The Atlassian incident is not a story of technical failure. It is a story of what happens when destructive operations lack defense-in-depth: no type validation, no dry-run mode, no staged rollout, no soft-delete, and no explicit confirmation that an operation targeting 883 site-level records was actually what anyone intended.

Deletion APIs must validate what they are deleting, not just whether the operation is allowed. An API that accepts both app IDs and site IDs without distinguishing them is a loaded gun with the safety removed. Before any destructive operation executes in production, a system-level check should confirm the type of entity being targeted — and fail loudly if it doesn't match the caller's stated intent.

must be the only permitted path for any operation touching customer data. Permanent deletion paths — even legitimate ones needed for compliance — should require a multi-step authorization separate from standard maintenance workflows. If an operation cannot be reversed in under an hour, it should not be triggerable in a single script run.

Disaster Recovery testing must include the scenario you have never practiced, not just the one you have. Atlassian's backups were excellent and their single-site recovery was proven. What failed was multi-site, multi-product coordinated recovery at scale — a scenario that had no runbook and no automation. Test the rare catastrophe, not just the common failure.

Customer contact information must be backed up outside the system it describes. When the deletion removed customer sites, it also removed the contact data Atlassian needed to reach those customers. Never let a single operation sever both the incident and the communication channel for resolving it. Store critical customer identifiers in a system that is logically and physically separate from the product instances they reference.

Staged rollout applies to maintenance scripts, not just feature deployments. The first production run of the cleanup script processed 30 sites correctly — because those IDs had been sourced before the miscommunication occurred. The second run hit 883. A staged rollout policy on any script modifying customer data at scale would have surfaced the error on a batch of 10 before it reached 883.

The Communications Lesson They Admitted

For nine days, Atlassian remained largely silent publicly while customers speculated on forums. They later acknowledged they should have communicated directional estimates with explicit uncertainty — even imprecise timelines — far earlier. Silence read as incompetence. "We don't know yet" is a communication, not a failure to communicate.

The Industry Shift This Incident Accelerated

After the Atlassian outage, "soft-delete by default" moved from engineering best-practice advice to boardroom checklist item at cloud companies worldwide. The incident remains the most-cited example of how of a single maintenance script can exceed the blast radius of a network attack — because the system was designed to trust the caller.

The API accepted both app IDs and site IDs. It just didn't ask which one you meant.TechLogStack — built at scale, broken in public, rebuilt by engineers