Corporate chat tool HipChat’s security team has released a notice alerting its users to a security breach, that occurred last weekend (24th April). It has affected their webservers and allowed others unauthorised access to user content. According to the statement the attack was initiated through a shared library, developed by a third party and used on the HipChat.com service.
As a precautionary measure, the company informs that it has invalidated the passwords of all the potentially affected users; these users will receive an email with instructions for creating a new password. “If you are a user of HipChat.com and have not received an email from our Security Team with these instructions, it means that we have found no evidence that you were affected by the incident,” said CIO Ganesh Krishnan, author of the statement.
Potentially breached information includes:
– Users names, e-mail addresses and hashed passwords in all instances (represented by URLs such as “company.hipchat.com”). In some cases, metadata from chat rooms (such as name and subject matter addressed) may also have been compromised;
– In a few cases (less than 0.05%) content in chat rooms may have been accessed — these customers have been contacted and studied closely, according to the statement.
No evidence has been found of any unauthorized access to customer bank details or payment data. Lastly, the statement informs that an update of the HipChat Server is already being prepared and will be distributed soon.
Although the data breach has compromised HipChat’s reputation, the fact that they informed users about the data breach shows respect for those who use and trust in the tool. Yet, this situation has also created an opportunity and a context for scammers to exploit the subject in attacks such as phishing campaigns.
You can read the full statement here.