HipChat, a popular communications platform for businesses, warned users Monday it experienced a database breach, which may have compromised the names, email addresses and passwords of its users.
In additional to user information, HipChat warned users that metadata from company “rooms” or groups also may have been accessed, including room name and room topic. Worse yet, in a small number of instances, messages from a room may have been stolen.
HipChat chief security officer Ganesh Krishnan assured users in a blog post Monday that less than 0.05 percent of instances included user messages, and passwords were “hashed” or encrypted using the popular encryption protocol bcrypt using a random salt, which adds additional protection against potential decryption.
Krishnan’s assessment, which basically says the situation could have been worse if the company wasn’t using standard best practices for security, amounts to the good news for HipChat users who may be affected by the breach.
The bad news is pretty much everything else since a significant amount of user data was compromised. While metadata may not be as explicitly exposing as direct messages, it’s still more than enough to discern information that may not have been intended to be public.
In addition, breaches like this are made worse by the fact there have been so many breaches before it. It doesn’t take much for a hacker to cross reference a person’s username or email address in a database from a previous hack and find an old password. Since many people use the same or similar passwords for multiple accounts, it puts them at greater risk of a hack.
In response to the breach, HipChat parent company Atlassian has taken to invalidating the accounts for all HipChat-connected accounts that may have been affected. Those users should see an email with instructions on how to reset passwords.
Atlassian is also attempting to track down and fix the issue that allowed for the breach, which apparently stemmed from a third-party library with an unpatched security vulnerability. The company noted HipChat users not connected to that library were unaffected, and other Atlassian properties also are safe.