Over the weekend, an unknown intruder broke into HipChat, the Atlassian-owned team communication platform, and made off with a significant amount of data.
According to a security notice published on the HipChat blog, the attacker was able to access user-account information, including names, email addresses, and hashed passwords.
Ganesh Krishnan, Atlassian’s Chief Security Officer, said the company hashes all passwords using the bcrypt algorithm, with a random salt. In short, security best practices.
He also noted that the attacker did not access user financial or credit card information.
But here’s where it takes a turn for the worse, as in a small number of instances (around 0.05 percent), the attacker was able to access messages and content within rooms.
In the other 99.95 percent of instances, it’s possible the attacker accessed room metadata. This isn’t great either. You can glean a lot from metadata.
If an attacker was able to (hypothetically) break into Sony’s Hipchat and saw a (hypothetical) room called PlayStation 5, she could make an educated guess about what the company is working on without actually reading any messages.
It’s a far-fetched example (and a little silly), but you get the idea.
In response to the breach, the company is taking several proactive steps. The company has invalidated passwords on all HipChat-connected accounts believed to be affected, and emailed password reset instructions.
So, if you can’t log into HipChat tomorrow, it’s okay. You haven’t been fired. Just check your email.
Hipchat is also trying to solve the issue that lead to this catastrophic break-in. The issue lies in a third-party library, which contained an unpatched security vulnerability. Atlassian is currently working on a fix.
And finally, some good news. If you’re using a hosted version of Hipchat, you aren’t at risk. Moreover, there’s no evidence that the attacker was able to penetrate any other Atlassian properties, like Jira, BitBucket, Trello, or Confluence.