HipChat security notice

, Chief Security Officer | April 24, 2017

This weekend our Security Intelligence Team detected a security incident affecting a server in the HipChat Cloud web tier. The incident involved a vulnerability in a popular third-party library used by HipChat.com. We have found no evidence of other Atlassian systems or products being affected.

As a precaution, we have invalidated passwords on all HipChat-connected user accounts and sent those users instructions on how to reset their password. If you are a user of HipChat.com and do not receive an email from our Security Team with these instructions, we have found no evidence that you are affected by this incident.

We believe this incident may have resulted in unauthorized access to content from the HipChat.com service. Specifically:

  • for all instances (each of which is represented by a unique url—e.g. company.hipchat.com), the attacker may have accessed user account information (including name, email address and hashed password). HipChat hashes passwords using bcrypt with a random salt. Room metadata (including room name and room topic) may have also been accessed.
  • for a small number of instances (less than 0.05%), messages and content in rooms may have been accessed. We are contacting and will work closely with these customers.
  • for the vast majority of instances (more than 99.95%), we have found no evidence that messages or content in rooms have been accessed.
  • Additionally, we have found no evidence of unauthorized access to financial and/or credit card information.

While HipChat Server uses the same third-party library, it is typically deployed in a way that minimizes the risk of this type of attack. We are preparing an update for HipChat Server that will be shared with customers directly through the standard update channel.

We are confident we have isolated the affected systems and closed any unauthorized access. To reiterate, we have found no evidence of other Atlassian systems or products being affected.

This is an ongoing investigation and Atlassian is actively working with law enforcement authorities on the investigation of this matter.

If you have any questions or concerns, please contact us at support@hipchat.com.