BreachExchange mailing list archives
Hipchat was hacked over the weekend, and it’s bad
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 24 Apr 2017 16:48:42 -0600
https://thenextweb.com/insider/2017/04/24/hipchat-hacked-weekend-bad/ Over the weekend, an unknown intruder broke into HipChat, the Atlassian-owned team communication platform, and made off with a significant amount of data. According to a security notice published on the HipChat blog, the attacker was able to access user-account information, including names, email addresses, and hashed passwords. Ganesh Krishnan, Atlassian’s Chief Security Officer, said the company hashes all passwords using the bcrypt algorithm, with a random salt. In short, security best practices. He also noted that the attacker did not access user financial or credit card information. But here’s where it takes a turn for the worse, as in a small number of instances (around 0.05 percent), the attacker was able to access messages and content within rooms. In the other 99.95 percent of instances, it’s possible the attacker accessed room metadata. This isn’t great either. You can glean a lot from metadata. If an attacker was able to (hypothetically) break into Sony’s Hipchat and saw a (hypothetical) room called PlayStation 5, she could make an educated guess about what the company is working on without actually reading any messages. It’s a far-fetched example (and a little silly), but you get the idea. In response to the breach, the company is taking several proactive steps. The company has invalidated passwords on all HipChat-connected accounts believed to be effected, and emailed password reset instructions. So, if you can’t log into HipChat tomorrow, it’s okay. You haven’t been fired. Just check your email. Hipchat is also trying to solve the issue that lead to this catastrophic break-in. The issue lies in a third-party library, which contained an unpatched security vulnerability. Atlassian is currently working on a fix. And finally, some good news. If you’re using a hosted version of Hipchat, you aren’t at risk. Moreover, there’s no evidence that the attacker was able to penetrate any other Atlassian properties, like Jira, BitBucket, Trello, or Confluence. Small mercies.
_______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Hipchat was hacked over the weekend, and it’s bad Audrey McNeil (Apr 25)