Hipchat, the group messaging and team collaboration tool from Aussie unicorn startup Atlassian, had its security compromised over the weekend. Intruders accessed account names and email addresses, as well as Hipchat’s encrypted database of account passwords.
In a statement emailed to users advising them of the breach, Hipchat’s chief security officer Ganesh Krishan said that although they were accessed, the security with which Atlassian stores Hipchat passwords meant that they were still considered secure.
This weekend, our Security Intelligence Team detected an incident affecting HipChat.com that may have resulted in unauthorized access to user account information (including name, email address and hashed password). HipChat hashes passwords using bcrypt with a random salt. In our security investigation, we found no evidence of unauthorized access to financial and/or credit card information. We can also confirm that we have found no evidence of other Atlassian systems or products being affected.
A combination of hashing (a mathematical function designed to turn a password into an unintelligible string of characters, repeatably but without the possibility of easily being translated back to the source password) and salting (a random, unique string of characters added to a user’s password before it is hashed, rendering it likely unintelligible even if the hash is translated) was used by Atlassian to store Hipchat’s passwords.
Hipchat is Atlassian’s long-running chat app, although in recent years it’s somewhat fallen into the shadow of flashier competitor Slack. Atlassian bought Hipchat in 2012 — the service itself was founded in 2010 — and it’s one of the many pieces of business software alongside Jira, Confluence and Trello that the company operates. Atlassian did go to pains to say that it has no evidence of any other services being affected by the intrusion.
This latest breach should serve as a dual reminder: use strong unique passwords on every online service you access, and don’t use those online services to share or store passwords or sensitive information — unless, like 1Pass or LastPass, they’re specifically designed for it.