HipChat hacked, users' account information, private messages and content possibly compromised

Atlassian's group chat service for businesses and teams HipChat has reset all of its users' passwords after detecting a "security incident" over the weekend. In a security notice on Monday (24 April), the company said hackers may have accessed a significant amount of data including users' account information such as names, email addresses and hashed passwords.

Room metadata, including room name and room topic, may have also been accessed in the breach.

In less than 0.05% of instances, hackers may have infiltrated private messages and content within rooms as well, the company said. Regarding the remaining 99.95% of instances, the firm found no evidence to suggest that messages or content in rooms were accessed.

Chief Security Officer Ganesh Krishnan noted that HipChat hashes users' passwords using bcrypt with a random salt. According to the company's security intelligence team, the breach affected one of the servers in the HipChat Cloud web tier.

"The incident involved a vulnerability in a popular third-party library used by HipChat.com," Krishnan wrote. "As a precaution, we have invalidated passwords on all HipChat-connected user accounts and sent those users instructions on how to reset their password."

There is no evidence that the data breach affected any other Atlassian systems or products including Jira, Trello and Confluence, the company noted. No evidence of unauthorised access to financial or payment card information was found either.

"While HipChat Server uses the same third-party library, it is typically deployed in a way that minimizes the risk of this type of attack," Krishnan said. An update for HipChat server will be released soon via the standard update channel.

"We are confident we have isolated the affected systems and closed any unauthorised access," Krishnan said. The company said it is currently working with law enforcement in an ongoing investigation of the breach.

This is not the first time the messaging service for enterprises has suffered a data breach. In February 2015, HipChat reset users' passwords after discovering "suspicious activity" on its server. That breach saw intruders illegally accessing the personal information, including names, usernames, email addresses and encrypted passwords, of less than 2% of HipChat's users.