The internal private online chat and instant messaging service HipChat has sent password reset instructions to some of its users because of a security incident.
Ganesh Krishnan, Chief Security Officer for the Atlassian-owned platform, disclosed some information about the incident on 24 April. As quoted in a security notice released by HipChat:
“This weekend our Security Intelligence Team detected a security incident affecting a server in the HipChat Cloud web tier. The incident involved a vulnerability in a popular third-party library used by HipChat.com. We have found no evidence of other Atlassian systems or products being affected.”
As a result of that vulnerability, an attacker may have accessed some users’ names, email addresses, passwords that HipChat hashed using bcrypt with a random salt, and chat room metadata (including room name and topic). There’s no evidence to suggest an unauthorized actor made off with anyone’s financial information or credit card details. However, it’s possible an attacker obtained room content and messages in less than 0.05 percent of the unauthorized access instances.
HipChat has isolated all affected systems and closed off any unauthorized access. It’s now working with law enforcement authorities and Atlassian, one of the founders of the Vendor Security Alliance. It’s also preparing an update for HipChat Server, an asset whose functionality relies on the third-party library in which the vulnerability exists. Users will receive that fix through the regular update channel.
While they await that patch, affected users and those who are concerned about the security incident should change their passwords as soon as possible. These combinations should be unique to their HipChat accounts, should incorporate character substitutions, and should include a series of words rather than a single dictionary word.
For expert advice on how to create a strong password for each of the web accounts you use, please click here.