Atlassian’s group chat service for businesses and teams HipChat has reset all its users’ passwords after detecting a “security incident” over the weekend. IT security experts from Positive Technologies, AlienVault, ESET and Tripwire commented below.
Alex Mathews, Lead Security Evangelist at Positive Technologies:
“There is a growing trend in the use of collaboration tools like HipChat, which means lots of very sensitive company information is now reliant on the security of outsourced providers. Teams use them for everything from product development to business strategy, with absolute trust in the platform’s security.
“The problem is, if there is a vulnerability the scope for illicit collection of sensitive and valuable company data is huge. As in this case, it doesn’t even have to be the code written by the platform provider itself that is vulnerable, but written by a third party.
“We would advise all users to change their passwords immediately and update any other logins that use the same email address. Enterprise customers should refrain from using the application to share sensitive information until an update has been issued closing the vulnerability.”
Javvad Malik, Security Advocate at AlienVault:
“HipChat have done a good job of communicating the breach to customers in a timely manner, indicating that they had monitoring controls in place to look for breaches. The company also provided reassurance on the security of its systems with passwords being hashed with bcrypt. It also followed up with the good step and advice to customers to reset their passwords.
“Customers should also be sure to change their passwords on other systems if they were reusing the same one.
“While HipChat has apparently covered all the bases and should be commended for their swift and appropriate response. There is the small issue of other data that could have been potentially accessed by attackers.
“The company states it is confident that actual data from rooms was not accessed, but metadata was probably accessible. This on its own could be concerning to some enterprises, as information can be inferred from metadata. As an outlandish example, if Apple were using HipChat and had a room entitled, “Self Driving iCar” one could infer what the next direction of the company is.”
Mark James, IT Security Specialist at ESET:
“The company has stated that “In less than 0.05% of instances, hackers may have infiltrated private messages and content within rooms as well”. What does this mean? Well, in theory it means that someone who is going to try and phish or scam for your details may have enough information to trick you into replying or clicking the link. Most spam ends up in the bin, but when there is an element of trust or truth in the context of the attack we are more likely to follow it through. Emails talking about room names or topics might just be enough to keep the email out of the bin!
The positive here is how quickly they have acted, password resets are good and notifying affected users quickly is a major plus. We often hear about these types of breaches months if not years after they have happened, but in this case we have seen a good description of events with plenty of information about who, what and when.”
Paul Edon, Director at Tripwire:
“It sounds as though HipChat take their cyber security seriously as the leaked data was hashed and salted, making it more difficult to crack. The issue seems to have been caused by a vulnerability in a third-party library used by HipChat rather than a specific service provided by a third party. The question is, was this a known vulnerability? If “unknown” well done HipChat for the speed at which they identified the breach and took the necessary action to remediate further loss or damage. However, if the vulnerability was “known” then this is another case where security best practise – vulnerability and patch management would have almost certainly prevented the breach.”