On Monday, Atlassian reset user passwords for its group chat service HipChat after it notified its customers of a data breach. Unknown hackers broke into a cloud server of the company and stole a huge amount of data, including group chat logs.
According to Atlassian, attackers exploited a vulnerability in a “popular third-party” software library used by its HipChat.com service, the company did not reveal the name of the library.
“This weekend our Security Intelligence Team detected a security incident affecting a server in the HipChat Cloud web tier. The incident involved a vulnerability in a popular third-party library used by HipChat.com. We have found no evidence of other Atlassian systems or products being affected.” reads the security notice published by Atlassian.
“As a precaution, we have invalidated passwords on all HipChat-connected user accounts and sent those users instructions on how to reset their password.”
Hackers accessed user account data, including names, hashed passwords, and email addresses, according to the company, no financial data has been exposed.
Attackers may also have stolen messages and content in chat rooms for about 0.05 percent of the instances.
“For the vast majority of instances (more than 99.95%), we have found no evidence that messages or content in rooms have been accessed.” continues the data breach notification.
The company excluded that other systems of products (i.e. Jira, Confluence, or Trello) have been affected.
The good news for the users is that hacked service uses the bcrypt cryptographic algorithm for password hashing, and this system is hard to crack.
The company is already working to fix the security vulnerability in the third-party library exploited by hackers, it is preparing an update for HipChat Server that will be shared with customers directly through the standard update channel.
Atlassian has also isolated the affected systems while actively working with law enforcement on the investigation of this hack.
If you are a HipChat user, change your password and be vigilant of Phishing messages.
(Security Affairs – HipChat , data breach)