HipChat, Atlassian’s workplace chat platform, was hacked over the weekend. The hackers leveraged a vulnerability in a third-party library that HipChat uses to get in to see messages and content rooms. Michael Patterson, CEO at Plixer International commented below.
Michael Patterson, CEO at Plixer International:
“The security status of ChatOps tools like HipChat is serious business. ChatOps tools are used to support a DevOps and collaboration culture, meaning that teams of people as well as technology systems are dynamically connected and critical business processes can be automated. When a ChatOps tool becomes compromised, there is a high likelihood that the attacker can suddenly gain access across the most trusted and an important system a company has. HipChat hashes passwords using bcrypt with a random salt, which adds a layer of security, and they reset the passwords associated with effected accounts. In this case the compromise came from a trusted 3rd party, which highlights that threat surfaces for any tool extend beyond the manufacturer themselves. At this point it appears the security incident may have exposed user account information (name, email address, and hashed password) as well as room metadata (room name and room topic). Some messages and content within rooms may have been compromised as well.”