Atlassian’s HipChat hacked with user data and content stolen
HipChat, Atlassian Corp. PLC’s group chat platform, was hacked over the weekend and the hackers got a significant amount of data, including group chat logs.
The notification of the hack came from HipChat Chief Security Officer Ganesh Krishnan, who in a blog post said a hacker obtained access to one of HipChat’s servers from a vulnerability in a third-party software library used by the service.
Data gained from the hack includes names, email addresses and passwords. Krishnan noted that all passwords for the service were hashed using bcrypt encryption with a random salt, best-practice security that makes them extraordinarily difficult to crack.
In addition, and perhaps more disturbingly, the hackers also got messages and content from chat rooms. The company puts the figure at only 0.05 percent of all users, but as The Next Web points out, the hackers were likely to have obtained the metadata from all HipChat groups and that metadata itself may contain information that would otherwise not be publicly available.
“As a precaution, we have invalidated passwords on all HipChat-connected user accounts and sent those users instructions on how to reset their passwords,” Krishnan noted. He added that those affected have been sent an email. If any users haven’t received an email, it means the company found no evidence that they had been affected.
HipChat has not said which third-party software library let the hackers in. But it’s likely to be common open-source code that can be found on many sites.
As security firm Veracode Inc. said in a report released in October, the continued and persistent use of vulnerable components in software development is creating systemic risk in digital infrastructure — in particular, the use of open-source software. You don’t have to be a programmer to know some of the names of the software libraries that were found to be vulnerable either, with the same report finding that a staggering 97 percent of apps written in Java have at least one vulnerability.
That said, though a third-party software library may well have been source of the vulnerability that allowed the hack to occur, that does not obsolve Atlassian of responsibility. Third-party libraries or not, the buck stops at the company hosting the service.
Image: HipChat
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU