Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


HipChat Compromised / Password Reset
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

HipChat Compromised / Password Reset

MikePTMikePT Moderator, Patron Provider, Veteran
edited April 2017 in General

As a notice to our fellow LET members, this has just arrived in my mailbox.
HipChat is part of Atlassian.

"Hello,

This weekend, our Security Intelligence Team detected an incident affecting HipChat.com that may have resulted in unauthorized access to user account information (including name, email address and hashed password). HipChat hashes passwords using bcrypt with a random salt. In our security investigation, we found no evidence of unauthorized access to financial and/or credit card information. We can also confirm that we have found no evidence of other Atlassian systems or products being affected.
As an added precaution, we have reset the password for your HipChat account. Please go to https://www.hipchat.com/forgot_password and enter your email address to trigger a password reset email for your www.hipchat.com account.
If you have been using your HipChat password on other sites, services or online accounts, we recommend that you immediately change those passwords as well.
Please refer to the HipChat Blog at http://blog.hipchat.com for additional information about this incident. We regret any disruption this may have caused and appreciate your immediate attention. If you have questions, please do not hesitate to contact HipChat Support via our support portal or by sending email directly to [email protected].

– Ganesh Krishnan, Chief Security Officer "

Comments

  • Idk them.

  • NekkiNekki Veteran

    HipChat sounds like something that only massive cunts would use.

    Thanked by 3cassa doghouch sayem314
  • WSSWSS Member

    WORLDSTAR HIPCHAT!

    Fuck 'em.

  • MikePTMikePT Moderator, Patron Provider, Veteran

    This service is part of Atlassian, quite... Huge company.

  • WSSWSS Member

    So, their users will get more spam.

  • jarjar Patron Provider, Top Host, Veteran

    At this point I don't even care who is compromised anymore. I just care who admits it.

  • eastoncheastonch Member
    edited April 2017

    It's actually quite a good solution, used it a couple of times.
    There are other better solutions out there however.

  • YuraYura Member

    @Nekki said:
    HipChat sounds like something that only massive cunts would use.

    == Millennials.

  • The biggest security vulnerability in hipchat is that it starts every call with video automatically turned on.

    Thanked by 2vimalware deadbeef
  • YuraYura Member

    @OnApp_Terry said:
    The biggest security vulnerability in hipchat is that it starts every call with video automatically turned on.

    Gaffer tape. Always.

  • @Yura said:

    @Nekki said:
    HipChat sounds like something that only massive cunts would use.

    == Millennials.

    It's Atlassian's business chat product with paid tiers like Slack. It's not a Snapchat, Facebook Messenger, or other free data harvesting message app competitor.

    @eastonch said:
    It's actually quite a good solution, used it a couple of times.
    There are other better solutions out there however.

    Yeah, HipChat okay. Slack is better if self-hosting isn't something that's needed.

  • YuraYura Member

    @flatland_spider said:

    @Yura said:

    @Nekki said:
    HipChat sounds like something that only massive cunts would use.

    == Millennials.

    It's Atlassian's business chat product with paid tiers like Slack. It's not a Snapchat, Facebook Messenger, or other free data harvesting message app competitor.

    I know, ok. I use Atlassian's products. The name is still vomit inducing.

    Thanked by 1raindog308
  • MikePTMikePT Moderator, Patron Provider, Veteran

    @jarland said:
    At this point I don't even care who is compromised anymore. I just care who admits it.

    Agreed.

  • RizRiz Member

    @OnApp_Terry said:
    The biggest security vulnerability in hipchat is that it starts every call with video automatically turned on.

    What about the fact that all pasted images are hosted publicly on AWS? I think forever....

    Thanked by 1OnApp_Terry
  • Hipchat was a pretty easy-to-use group chat solution in the world before Slack, Discord and self-hosted rocketchat . (2010-2011 I think)

    Thanked by 1deadbeef
  • I especially like the panic reaction to reset all passwords and to send out new ones by email. That's great!
    After all, "secure chat servers" tend to be much better protected - and protectable! - than email servers. Maybe a panic reaction like that was the attackers plan in the first place. As in "create some panic and massive password resets by attacking the chat thingy. Then hack and link into their email server and collect all passwords comfortably", hehe

    Thanked by 1imok
  • They said that their passwords/credit cards are safe. What damage would this breach do, apart from attackers getting usernames and "personal information"?

  • @momin90909 said:
    They said that their passwords/credit cards are safe. What damage would this breach do, apart from attackers getting usernames and "personal information"?

    Let me translate their statement "In our security investigation, we found no evidence of unauthorized access to financial and/or credit card information"

    Translation: "We are so utterly stupid fucks that we insanely put everything into one system. We do vaguely hope, however, that the hackers didn't make use of our excessive stupidity. Moreover our 'analysis' found no 'you're hacked' credit card info which offers us the chance to vaguely assert that our users haven't been 100% but only 70% fucked in their rear with cacti"

  • @vimalware said:
    Hipchat was a pretty easy-to-use group chat solution in the world before Slack, Discord and self-hosted rocketchat . (2010-2011 I think)

    Yeah, it was an interesting alternative to Skype or XMPP at the time. It had more features then basic XMPP, but not the video or desktop sharing of Skype.

  • WSSWSS Member

    @bsdguy said:
    Let me translate their statement "In our security investigation, we found no evidence of unauthorized access to financial and/or credit card information"

    I surely hope that they've lost their ability to process any offline/CNP transactions..

Sign In or Register to comment.