HipChat hacked, user account info and some content potentially compromised

The breach occurred over the weekend due to a vulnerability in a third-party library used by HipChat.com.
Written by Stephanie Condon, Senior Writer

Atlassian's workplace chat platform HipChat was hacked over the weekend, the company announced in a security notice, due to a vulnerability in a third-party library used by HipChat.com.

The incident affected a server in the HipChat Cloud web tier, and for a small number of instances (less than 0.05 percent), there's evidence messages and content in rooms may have been accessed.

For all instances, the attacker may have accessed user account information like names, email addresses, and hashed passwords. Room metadata (including room name and room topic) may have also been accessed.

Hipchat chief security officer Ganesh Krishnan noted that HipChat hashes passwords using bcrypt with a random salt. As a precaution, Hipchat have invalidated passwords on all potentially affected HipChat-connected user accounts and sent those users instructions on how to reset their password. The company is also readying a HipChat Server update in response to the attack.

There's no evidence the breach impacted other Atlassian systems, like Jira, Confluence, or Trello.

"We are confident we have isolated the affected systems and closed any unauthorized access," Krishnan wrote.

Enterprise collaboration set for smart revolution in 2017

Editorial standards