[BreachExchange] Hipchat was hacked over the weekend, and it’s bad

Audrey McNeil audrey at riskbasedsecurity.com
Mon Apr 24 18:48:42 EDT 2017


https://thenextweb.com/insider/2017/04/24/hipchat-hacked-weekend-bad/

Over the weekend, an unknown intruder broke into HipChat, the
Atlassian-owned team communication platform, and made off with a
significant amount of data.

According to a security notice published on the HipChat blog, the attacker
was able to access user-account information, including names, email
addresses, and hashed passwords.

Ganesh Krishnan, Atlassian’s Chief Security Officer, said the company
hashes all passwords using the bcrypt algorithm, with a random salt. In
short, security best practices.

He also noted that the attacker did not access user financial or credit
card information.

But here’s where it takes a turn for the worse, as in a small number of
instances (around 0.05 percent), the attacker was able to access messages
and content within rooms.

In the other 99.95 percent of instances, it’s possible the attacker
accessed room metadata. This isn’t great either. You can glean a lot from
metadata.

If an attacker was able to (hypothetically) break into Sony’s Hipchat and
saw a (hypothetical) room called PlayStation 5, she could make an educated
guess about what the company is working on without actually reading any
messages.

It’s a far-fetched example (and a little silly), but you get the idea.

In response to the breach, the company is taking several proactive steps.
The company has invalidated passwords on all HipChat-connected accounts
believed to be effected, and emailed password reset instructions.

So, if you can’t log into HipChat tomorrow, it’s okay. You haven’t been
fired. Just check your email.

Hipchat is also trying to solve the issue that lead to this catastrophic
break-in. The issue lies in a third-party library, which contained an
unpatched security vulnerability. Atlassian is currently working on a fix.

And finally, some good news. If you’re using a hosted version of Hipchat,
you aren’t at risk. Moreover, there’s no evidence that the attacker was
able to penetrate any other Atlassian properties, like Jira, BitBucket,
Trello, or Confluence.

Small mercies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170424/2a90322f/attachment.html>


More information about the BreachExchange mailing list