Atlassian’s group chat platform for business was hacked over the weekend. The service, HipChat, has reset all of it’s users’ passwords after a security incident was flagged due to a vulnerability in a third-party library used by HipChat.com.
A security notice was released on Monday (24 April), with the company saying hackers could potentially have accessed a significant amount of personal data. Users’ account information such as names, email addresses, hashed passwords as well as the room metadata are thought to have been accessed in the breach.
The attack is thought to have affected less than 0.05% where hackers may have infiltrated private messages and content within rooms on one of the servers on the HipChat Cloud web tier.
Although Atlassian have claimed they have isolated the incident and that was no evidence that the breach impacted other Atlassian systems, the breach of personal information is of extreme significance and concern, which was highlighted by Robert Capps, VP of business development at NuData Security. He says “With just a name and email address, there is an outsized risk to consumers from targeted phishing and malware attacks. Stolen consumer data can be combined with other personally identifiable information (PII) from other hacks and breaches, to amass even more detailed profiles of users that are traded and sold to other hackers and fraudsters. These bundles of data contain much more complete information about specific individuals providing greater opportunities for fraud to take place.”
Many infosecurity experts were quick to praise HipChat’s rapid and efficient response to the breach. Javvad Malik, Security Advocate at AlienVault said “they have done a good job of communicating the breach to customers in a timely manner, indicating that they had monitoring controls in place to look for breaches. The company also provided reassurance on the security of its systems with passwords being hashed with bcrypt. It also followed up with the good step and advice to customers to reset their passwords.
Javvid also advised that “customers should also be sure to change their passwords on other systems if they were reusing the same one. “While HipChat has apparently covered all the bases and should be commended for their swift and appropriate response. There is the small issue of other data that could have been potentially accessed by attackers.”
Paul Edon, Director at Tripwire noted that the leaked data was “hashed and salted”, making it difficult to crack adding “it sounds as though HipChat take their cyber security seriously.” Paul did, however, have one concern regarding whether the breach came from a known vulnerability. “If “unknown” well done HipChat for the speed at which they identified the breach and took the necessary action to remediate further loss or damage. However, if the vulnerability was “known” then this is another case where security best practise – vulnerability and patch management would have almost certainly prevented the breach.”
As a precaution, HipChat have invalidated passwords on all potentially affected HipChat-connected user accounts and sent those users instructions on how to reset their passwords. In response to the attack, the company are also preparing a server update.
ESET IT security specialist, Mark James also noted to how quick HipChat were to reacting saying “password resets are good and notifying affected users quickly is a major plus. We often hear about these types of breaches months if not years after they have happened, but in this case we have seen a good description of events with plenty of information about who, what and when.”