Atlassian's HipChat hacked, user data and private messages compromised
Atlassian's group chat platform HipChat is notifying its users of a data breach after some unknown hacker or group of hackers broke into one of its servers over the weekend and stole a significant amount of data, including group chat logs.
What Happened?
According to a
security noticepublished on the company's website today, a vulnerability in a
"popular third-party"software library used by its HipChat.com service allowed hackers to break into its server and access customer account information.
However, HipChat did not say exactly which programming blunder the hackers exploited to get into the HipChat cloud server.
What type of Information?
Data accessed by the hackers include user account information such as customers' names, email addresses and hashed password information.
Besides information, attackers may have obtained metadata from HipChat "rooms" or groups, including room name and room topic. While metadata is not as critical as direct messages, it's still enough to identify information that's not intended to be public.
Worse yet, the hackers may also have stolen messages and content in chat rooms, but in a small number of instances (about 0.05%). There has been no sign that over 99% of users' messages or room content was compromised.
Fortunately, there's no evidence that the attackers have accessed anyone's credit card or financial information.
Who are not affected?
HipChat users not connected to the affected third-party software library are not affected by the data breach.
Other Atlassian properties also are safe, as the company claimed that there is no evidence to suspect that other Atlassian systems or products like Jira, Confluence, or Trello have been affected by the hack.
To Worry or Not to Worry?
There's no need to panic, as the passwords that may have been exposed in the breach would also be difficult to crack.
Atlassian Chief Security Officer Ganesh Krishnan noted that HipChat hashes all passwords using the
bcryptcryptographic algorithm, with a random salt.
The data is hashed with bcrypt, which transforms the passwords into a set of random-looking characters, and makes the hashing process so slow that it would literally take centuries to brute-force all of the HipChat account passwords.
For added security, HipChat also "
salted" each password with a random value before hashing it, adding additional protection against possible decryption.
However, data breaches like this are made worse by the fact that there have been so many breaches prior to it, and secondly, that majority of users make use of the same or similar passwords for their multiple accounts.
So, it doesn't take much for hackers to cross reference a user's username or email address in a database from a previous breach and find an old password, placing users at greater risk of a hack.
How Many victims?
HipChat did not say how many users may have been affected by the incident, but the company is taking several proactive steps to secure its users.
What is HipChat doing?
As a precaution, HipChat has invalidated passwords on all potentially affected HipChat-connected accounts, and emailed password reset instructions, forcing every user to reset their account password.
The company is also attempting to track down and fix the security vulnerability in the third-party library used by its service that allowed for the breach.
In response to the attack, the company is also updating its HipChat Server that will be shared with its customers directly through the standard update channel.
HipChat has also isolated the affected systems and closed any unauthorized access.
HipChat parent company Atlassian is also actively working with law enforcement on the investigation of this matter.
What Should You Do Now?
For the Obvious reasons, all HipChat customers are highly recommended to change their passwords as soon as possible.
You should also particularly be alert of the Phishing emails, which are usually the next step of cyber criminals after a breach. Phishing is designed to trick users into giving up further details like passwords and bank information.
from The Hacker News http://ift.tt/2p0fIPr