Privacy News HipChat Got Hacked, Some Conversations Got Snooped On

[Bot]

Content source

http://news.softpedia.com/news/hipchat-got-hacked-some-conversations-got-snooped-on-515149.shtml

HipChat, the chat service for businesses, has been hacked, with evidence pointing to intruders snooping in on private conversations and accessing customer account information.

According to a statement the company released, an attacker was able to infiltrate one of its servers. The server in question powers its cloud-hosted chat service, which helped the intruder extract account records, including names, email addresses and hashed passwords, as well as a number of chat logs and message exchanges.

"As a precaution, we have invalidated passwords on all HipChat-connected user accounts and sent those users instructions on how to reset their passwords," said HipChat's Ganesh Krishnan, chief security officer. "If you are a user of HipChat.com and do not receive an email from our Security Team with these instructions, we have found no evidence that you are affected by the incident."

Read more: HipChat Got Hacked, Some Conversations Got Snooped On

 

[Parsh]

"If you are a user of HipChat.com and do not receive an email from our Security Team with these instructions, we have found no evidence that you are affected by the incident."

And I got the email...

This weekend, our Security Intelligence Team detected an incident affecting HipChat.com that may have resulted in unauthorized access to user account information (including name, email address and hashed password).

HipChat hashes passwords using bcrypt with a random salt. In our security investigation, we found no evidence of unauthorized access to financial and/or credit card information.
We can also confirm that we have found no evidence of other Atlassian systems or products being affected.
As an added precaution, we have reset the password for your HipChat account.

Though I haven't used it much. It had a great feature set but my team switched to Slack henceforth.
They might just have got the hashed passwords, or the logs too, and either is risky though the former may be difficult.

Servers providing cloud infrastructure to tens of thousands of users mainly use multi-tenant allocation and safeguarding one client's data from others on the same machine or through gateway is critical.
Clouds have always had some such risk points though many common attack vectors possible earlier are prevented or mitigated by heightened isolation, multi-authentication at server end, extra security layers and so on.

Still you get to see such instances (ofcourse you cannot protect against all loopholes, mostly unknown). That says how important it is for them to analyse and choose the server/cloud package such startups invest in...and upgrade when they've reached a huge userbase and responsibility.