HipChat users should reset their passwords after a vulnerability was discovered this weekend in a “popular third-party library” used on the service’s website. Parent company Atlassian claimed there’s no evidence to indicate that other systems or products have been affected. It has since reset the passwords for all HipChat-connected user accounts and sent an email with instructions on how to regain access.
Some people may be impacted more than others, as Atlassian believes unauthorized persons may have accessed not only user account information, such as name, email address, and hashed passwords, but also likely room metadata. The company said that in less than 0.05 percent of instances, messages and content could also have been compromised. Atlassian said it’s working with affected users to fix any problems.
However, more than 99 percent of users are not believed to have been inconvenienced by this hacking incident.
In a blog post, Ganesh Krishnan, Atlassian’s chief security officer, wrote: “While HipChat Server uses the same third-party library, it is typically deployed in a way that minimizes the risk of this type of attack. We are preparing an update for HipChat Server that will be shared with customers directly through the standard update channel.”
He continued: “We are confident we have isolated the affected systems and closed any unauthorized access.”
The company said it’s working with law enforcement to investigate the breach.