HipChat Suffers Breach During the Weekend


Team communication platform HipChat was breached by an unknown intruder over the weekend who has reportedly made off with a large amount of metadata.

Atlassian-owned team communication platform HipChat was broken into by an unknown intruder who was able to access user-account information that includes email addresses, hashed passwords and names.

According to a blog by Atlassian’s chief security officer Ganesh Krishnan, the company hashed all passwords using the bcrypt algorithm, with a random salted hash for added measure. The practice is widely seen as a good security standard by the industry.

The security incident occurred with the intruder gaining access to a server in the HipChat Cloud web tier. Specifically, the incident involved a vulnerability in a popular but unnamed third-party library used by HipChat.com, the announced revealed.

As a precautionary measure, HipChat has reset the passwords for all affected accounts and has delivered instructions to users on how to reset them.

The company’s CSO further claimed that the attacker did not access any users’ financial or credit card details. However, a closer look reveals that the attacker may have accessed about 0.05% of messages and content in rooms. However, the very fact that room metadata was open to access by the attacker points to a wider compromise, one that leaves the attacker to gleam plenty from the rooms’ names and other details from the metadata.

“Room metadata (including room name and room topic) may have also been accessed,” the notice confirms.

The security announcement further adds:

We are confident we have isolated the affected systems and closed any unauthorized access. To reiterate, we have found no evidence of other Atlassian systems or products being affected.

The compromised third-party library is also used by the HipChat Server. However, the method deployment of the server minimizes the risk of such an attack, the CSO adds quickly.

An investigation is underway, with Atlassian working with law enforcement authorities in the aftermath of the breach.

Image credit: Pixabay.