​Atlassian’s HipChat forces password reset after breach

  • Liam Tung (CSO Online)
  • 25 April, 2017 23:03

Atlassian’s team chat service HipChat has reset all passwords for users of its cloud service after discovering hackers had exploited a flaw in a third-party software library affecting a server in the HipChat Cloud.

HipChat’s chief security officer Ganesh Krishnan on Monday said the breach, which was discovered on the weekend, may have given hackers access to account information and content from the service.

Account information exposed include the name, email address and hashed password of users. Krishnan notes that HipChat hashes user passwords with bcrypt and applies a random salt to them.

The attackers may have accessed some companies’ room name and room topic. Messages and content in rooms may have been accessed, though HipChat believes this occurred for less than 0.05 percent of instances.

There was no evidence the attackers accessed financial or credit card information, according to Krishnan.

“As a precaution, we have invalidated passwords on all HipChat-connected user accounts and sent those users instructions on how to reset their password,” said Krishnan. “If you are a user of and do not receive an email from our Security Team with these instructions, we have found no evidence that you are affected by this incident.”

The investigation so far has found no evidence that other Atlassian systems or products were affected by the incident.

Krishnan notes that while its HipChat Server product uses the same vulnerable software library, the way it’s typically deployed mitigates the risk of this attack. Nonetheless it will be releasing a patch for the issue soon, which should reveal what the affected software library was.

“We are preparing an update for HipChat Server that will be shared with customers directly through the standard update channel,” he said.

Atlassian is working with law enforcement on the investigation.

HipChat reset passwords in 2015 after a breach gave unauthorized access to around 2 percent of its users names, usernames, email addresses, and encrypted password.