All HipChat passwords reset after damaging hack

Australian software vendor Atlassian has reset all user passwords for its popular workplace communication platorm HipChat after an attacker broke into the platform and accessed user data.

A vulnerability in a third-party library used by HipChat - Apache Struts 2 - was exploited by attackers who broke into one of the servers powering its cloud-hosted chat service, Hipchat chief security officer Ganesh Krishnan revealed.

He said there was evidence attackers had made away with some user account information - names, email addresses, and hashed passwords - and room metadata (room name and topic).

Messages and content in rooms also "may have been accessed" for less than 0.05 percent of HipChat users, Atlassian said. Those impacted used a domain URL like company.hipchat.com. Atlassian said it was 'working closely' with these customers.

It said there was no evidence financial or credit card data had been accessed, and no other Atlassian systems or products were affected.

"We are confident we have isolated the affected systems and closed any unauthorised access," Krishnan said.

"This is an ongoing investigation and Atlassian is actively working with law enforcement authorities on the investigation of this matter."

The remote code execution flaw in Apache's Struts 2 was revealed last month. It is being exploited by attackers to run arbitrary commands on servers and install malicious programs.

Atlassian's HipChat Server platform also uses Struts 2 but is normally deployed in a way that "minimises the risk of this type of attack", Krishnan said. The company is rolling out a security update for HipChat Server regardless.

All passwords on HipChat user accounts have been invalidated and users instructed to reset the credentials. 

Atlassian did not detail how many users had been impacted. It noted that any accessed passwords would be difficult to crack given the data is salted and hashed with the bcrypt algorithm.