HipChat resets user passwords after hacker steals names, emails, more

[XAMI]

For those who found themselves unable to log into po[CENSORED]r chat service HipChat recently, here’s why: An unknown intruder broke into one of its servers over the weekend, forcing the company to reset users’ passwords as a precaution.

In a security notice on the firm's blog, Atlassian’s Chief Security Officer, Ganesh Krishnan, writes that the incident was the result of a vulnerability in a “po[CENSORED]r third-party library.”

The attacker may have accessed user account information such as names, email addresses, and hashed passwords, along with metadata such as room names and topics. The post notes that HipChat hashes passwords using bcrypt with a random salt.

In a small number of instances – under 0.05 percent – messages and content posted in rooms may have been accessed, but there’s no evidence of any financial and credit card information being stolen. Additionally, no other Atlassian products, such as Trello and Jira, were compromised during the attack.

After invalidating all the passwords on HipChat-connected accounts, the company sent out emails with instructions on how to reset the login credentials. If you’re a user who didn’t receive an email, the security team has found no evidence you were affected.

“While HipChat Server uses the same third-party library, it is typically deployed in a way that minimizes the risk of this type of attack. We are preparing an update for HipChat Server that will be shared with customers directly through the standard update channel,” states the blog post.

“We are confident we have isolated the affected systems and closed any unauthorized access,” added Krishnan.

Atlassian said it is now working with law enforcement on the investigation of this matter.