Group chat service HipChat made an announcement on its blog that their Security Intelligence Team detected a “vulnerability” in a third-party library used by the app. In simpler terms, some of the information in the server of their cloud web tier may have been hacked. To try and keep whoever breached the system from accessing more user information, they have reset the password for the affected users. Fortunately, no other products from the company have been similarly compromised.
If you did not receive an email from HipChat with instructions on how to reset your password, then it means that your account was not part of those that were hacked. The attacker was actually able to access the user account information which includes username, email address, hashed password, and maybe even room metadata like the room name and topic. Less than 0.5% of the instances of hacked accounts had access to message and content in the rooms.
The good news, well sort of good news, is that the hackers were not able to access the financial and/or credit card information of its user database, which would have put them in even mSet featured imageore hot water had it happened. They also emphasized that no other Atlassian (the developer of HipChat) products like Trello or Jira were affected.
They are preparing an update for HipChat that will make the app more secure and minimize the risk of similar types of attacks. They are also continuing in the investigation of how such a breach could have happened and who was responsible.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.