Craig Davies

HipChat Security Notice and Password Reset

By Craig Davies | 14 hours ago | 15 Comments

Atlassian’s security team has discovered and blocked suspicious activity on the HipChat service that resulted in unauthorized access to names, usernames, email addresses, and encrypted passwords for a very small percentage (<2%) of our users. We have no evidence that any payment information was accessed.

While HipChat passwords are one-way encrypted (hashed and salted), as an added precaution we have triggered a password reset for all affected HipChat user accounts and all Atlassian services that share the same email address. If you have not received communication from us, we do not believe you were affected. However, you can easily change your password here. As a reminder, always avoid using simple passwords based on dictionary words and never use the same password on multiple sites or services.

We take our responsibility to protect you and your data very seriously, and we’re constantly enhancing the security of our service infrastructure to keep you and your data safe. While recent events with other large services have demonstrated this type of activity is increasing, so too is our vigilance in blocking and addressing it.

If you have any questions or concerns, please contact us at support@hipchat.com.

HipChat is group chat and IM built for teams. Learn more
«
  • https://s.arciszewski.me Scott Arciszewski

    What hashing algorithm were you using? Bcrypt? PBKDF2? Scrypt?

  • Paradox

    In one of their videos, I believe they said Bcrypt.

  • http://www.yesthatallen.com/ Allen Hancock

    How does this relate to API keys we have in use?

  • Andrew Hay

    When did it occur and when was it discovered?

  • http://www.HipChat.com Wesley Faulkner

    If you’d like to cycle tokens you are welcome to – it can’t hurt – but we do not consider it a security threat at this time.

  • http://www.HipChat.com Wesley Faulkner

    If you’d like to cycle tokens you are welcome to, but we do not consider it a security threat at this time.

  • Owen Lystrup

    Will customers who happen to be part of that >2% get an individual communication? When was this breach discovered? How long was it until Atlassian discovered and informed its customer base?

  • boktai1000

    “While HipChat passwords are one-way encrypted (hashed and salted), as an added precaution we have triggered a password reset for all affected HipChat user accounts and all Atlassian services that share the same email address. If you have not received communication from us, we do not believe you were affected. “

  • Owen Lystrup

    Thanks that answers 1/3 of my questions.

  • tiggerTheNigger

    You’re welcome.

  • Catalin

    I think it’s time to enable 2 step auth.

  • Rigged Ice

    It would be a good idea to introduce a two-factor authentication now. For all Atlassian services.

  • gifpaste

    This kind of format would be nice and help avoid all the questions https://sysadmincasts.com/episodes/20-how-to-write-an-incident-report-postmortem

  • callmoo

    Sarcasm? If so then you need to get a life. The guy who answered isn’t an employee for HipChat so has just told you what he knows.

  • http://blog.elamperti.com/ Zim

    It’s a good moment to enable 2-factor authentication. Issue #5811 remains with minor priority…

    https://bitbucket.org/site/master/issue/5811/support-two-factor-authentication-bb-7016