HipChat Security Breach

Yesterday, HipChat released a statement saying that their team had detected a security incident affecting a HipChat cloud tier and was caused by a vulnerability in a popular third-party library they used.

As a precaution, we have invalidated passwords on all HipChat-connected user accounts and sent those users instructions on how to reset their password. If you are a user of HipChat.com and do not receive an email from our Security Team with these instructions, we have found no evidence that you are affected by this incident.

In their announcement they believe the attacker may have accessed the following data:

  • for all instances (each of which is represented by a unique url—e.g. company.hipchat.com), the attacker may have accessed user account information (including name, email address and hashed password). HipChat hashes passwords using bcrypt with a random salt. Room metadata (including room name and room topic) may have also been accessed.
  • for a small number of instances (less than 0.05%), messages and content in rooms may have been accessed. We are contacting and will work closely with these customers.
  • for the vast majority of instances (more than 99.95%), we have found no evidence that messages or content in rooms have been accessed.
  • Additionally, we have found no evidence of unauthorized access to financial and/or credit card information.

Finally, they are confident they have isolated the affected systems and closed any unauthorized access. They are also working with authorities to investigate this breach.