Story image

Atlassian's workplace chat tool 'HipChat' affected by data breach

02 May 17

Workplace group chat tool HipChat has been hit by a data breach and users are being advised to check if they are vulnerable. The app’s producer Atlassian says it has contacted all affected users, however all users should still change passwords.

In a blog post, HipChat mentions that all passwords are now invalidated on all HipChat-connected user accounts affected by the breach. HipChat users who do not receive an email with password reset instructions have not been affected by the breach. 

According to Stay Smart Online, the breach involved potential unauthorised access to sensitive data, although there is no evidence of access to financial or credit card information. There is also no evidence that any other Atlassian system or product was affected by the breach.

According to the blog post, the breach focused on four areas:

“For all instances (each of which is represented by a unique url—e.g., the attacker may have accessed user account information (including name, email address and hashed password). HipChat hashes passwords using bcrypt with a random salt. Room metadata (including room name and room topic) may have also been accessed.

For a small number of instances (less than 0.05%), messages and content in rooms may have been accessed. We are contacting and will work closely with these customers.

For the vast majority of instances (more than 99.95%), we have found no evidence that messages or content in rooms have been accessed."

The company has isolated all affected systems and blocked any unauthorised access. The company is also working with law enforcement in ongoing investigation.

Stay Smart Online recommends that when a data breach happens, users should change passwords, monitor accounts for suspicious activity and seek advice from the vendor.

Passwords should be different for each online service, more than 10 characters and include upper and lower case letters, numbers and symbols.

Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.