HipChat users should reset their passwords after a vulnerability was discovered in a “popular third-party library” used on the service’s website this weekend. The parent company Atlassian claimed that there’s no evidence to suspect that other systems or products have been affected. It has since reset the passwords for all HipChat-connected user accounts and sent an email with instructions on how to regain access.
Some people may be impacted more than others, as Atlassian believes unauthorized persons may have accessed not only user account information such as name, email address, and hashed passwords, but also likely room metadata. The company said that in less than 0.05 percent instance, messages and content could also have been compromised and it’s working with affected users to fix the problem.
However, more than 99 percent of users are not believed to be inconvenienced by this hacking incident.
In a blog post, Ganesh Krishnan, Atlassian’s chief security officer, wrote: “While HipChat Server uses the same third-party library, it is typically deployed in a way that minimizes the risk of this type of attack. We are preparing an update for HipChat Server that will be shared with customers directly through the standard update channel.”
He continued to state: “We are confident we have isolated the affected systems and closed any unauthorized access.”
The company said it’s working with law enforcement to investigate the breach.