Looks like hackers got to HipChat

According to the company HipChat, a successful penetration attempt was discovered on the servers of the web version of HipChat, which resulted from a vulnerability in one of the third-party libraries used by the service. It is alleged that no evidence was found that any other Atlassian systems or products were damaged.

As a precautionary measure, HipChat disabled passwords on all user accounts connected to HipChat, and sent emails to all users with instructions on how to reset and reset the password. If the HipChat user did not receive a letter on this topic, then his account is recognized as not affected.

The size of the incident is small:

• on all affected service instances (the instance is defined as a unique server name, for example company .hipchat.com), attackers could get access to user account information (name, email address and password hash; HipChat hash passwords using bcrypt and random salt) "). In addition, the room metadata could be accessed (name and subject of the room).
• on a small number of instances (less than 0.05%), access to messages and the contents of rooms could be obtained. Separate work is carried out with these users.

On the other instances (and this is more than 99.95%) no traces of penetration were found. In addition, no trace of access to financial and payment card data was found.
')
Although the HipChat Server product uses the same third-party library, it is usually used in such a way that the risk of attack is minimized. The upcoming HipChat Server update will be available through standard software distribution channels.