HipChat Resets Passwords After Suspected Breach

Popular business group chat site HipChat has been forced to reset passwords for an unspecified number of users after a suspected security breach.

The firm’s chief security officer, Ganesh Krishnan, explained in a blog post on Monday that a vulnerability in a popular third-party library is thought to be to blame for an unauthorized access attempt.

“As a precaution, we have invalidated passwords on all HipChat-connected user accounts and sent those users instructions on how to reset their password,” he added. “If you are a user of HipChat.com and do not receive an email from our Security Team with these instructions, we have found no evidence that you are affected by this incident.”

The data accessed is thought to include user names, email addresses, passwords hashed using bcrypt with a random salt and room metadata.

For less than 0.05% of instances, messages and content in rooms might also have been accessed, Krishnan added.

Customers’ financial data appears safe and no other Atlassian products are thought to be affected.

“While HipChat Server uses the same third-party library, it is typically deployed in a way that minimizes the risk of this type of attack,” Krishnan said. “We are preparing an update for HipChat Server that will be shared with customers directly through the standard update channel.”

ZoneFox CEO, Jamie Graves, said HipChat content could be highly sensitive, given the corporate nature of the platform.

“Organizations must ensure they have visibility and control their data, this includes clarity around how their employees, third-party vendors and any other group with access to sensitive company information are using it – at all times,” he added. “Such an approach goes a long way to ensuring that a breach such as this one is identified and dealt with as quickly as possible.”

However, others lined up to praise HipChat for its speedy response, transparency and the security measures it has in place.

“The positive here is how quickly they have acted, password resets are good and notifying affected users quickly is a major plus,” argued Eset IT security specialist, Mark James. “We often hear about these types of breaches months if not years after they have happened, but in this case we have seen a good description of events with plenty of information about who, what and when.”

Tripwire director, Paul Eldon, explained that hashed and salted passwords make them more difficult to crack.

“The question is, was this a known vulnerability? If unknown well done HipChat for the speed at which they identified the breach and took the necessary action to remediate further loss or damage,” he added.

“However, if the vulnerability was known then this is another case where security best practice - vulnerability and patch management - would have almost certainly prevented the breach.”

What’s Hot on Infosecurity Magazine?