INFRA
INFRA
INFRA
Atlassian’s HipChat hacked with user data and content stolen
HipChat, Atlassian Corp. PLC’s group chat platform, was hacked over the weekend and the hackers got a significant amount of data, including group chat logs.
The notification of the hack came from HipChat Chief Security Officer Ganesh Krishnan, who in a blog post said a hacker obtained access to one of HipChat’s servers from a vulnerability in a third-party software library used by the service.
Data gained from the hack includes names, email addresses and passwords. Krishnan noted that all passwords for the service were hashed using bcrypt encryption with a random salt, best-practice security that makes them extraordinarily difficult to crack.
In addition, and perhaps more disturbingly, the hackers also got messages and content from chat rooms. The company puts the figure at only 0.05 percent of all users, but as The Next Web points out, the hackers were likely to have obtained the metadata from all HipChat groups and that metadata itself may contain information that would otherwise not be publicly available.
“As a precaution, we have invalidated passwords on all HipChat-connected user accounts and sent those users instructions on how to reset their passwords,” Krishnan noted. He added that those affected have been sent an email. If any users haven’t received an email, it means the company found no evidence that they had been affected.
HipChat has not said which third-party software library let the hackers in. But it’s likely to be common open-source code that can be found on many sites.
As security firm Veracode Inc. said in a report released in October, the continued and persistent use of vulnerable components in software development is creating systemic risk in digital infrastructure — in particular, the use of open-source software. You don’t have to be a programmer to know some of the names of the software libraries that were found to be vulnerable either, with the same report finding that a staggering 97 percent of apps written in Java have at least one vulnerability.
That said, though a third-party software library may well have been source of the vulnerability that allowed the hack to occur, that does not obsolve Atlassian of responsibility. Third-party libraries or not, the buck stops at the company hosting the service.
Image: HipChat
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
