14 DAY TRIAL // HipChat, the chat service for businesses, has been hacked, with evidence pointing to intruders snooping in on private conversations and accessing customer account information.
According to a statement the company released, an attacker was able to infiltrate one of its servers. The server in question powers its cloud-hosted chat service, which helped the intruder extract account records, including names, email addresses and hashed passwords, as well as a number of chat logs and message exchanges.
"As a precaution, we have invalidated passwords on all HipChat-connected user accounts and sent those users instructions on how to reset their passwords," said HipChat's Ganesh Krishnan, chief security officer. "If you are a user of HipChat.com and do not receive an email from our Security Team with these instructions, we have found no evidence that you are affected by the incident."
Where to point the finger?
The company did not go into details about what happened exactly, but it did mention that hackers exploited a vulnerability in a popular third-party library used by HipChat.com.
Experts believe, however, that the problem lies with a third-party library used by Atlassian products which recently received a major security fix, namely the Struts 2. Last month, it was patched to fix a remote-code execution vulnerability that was being exploited in the wild, after being deemed a "critical" flaw. The bug was present in HipChat Server, which is the software users need to install to run their own HipChat service.
According to HipChat, less than 0.05% of instances may have had their messages and content accessed by the hacker. For the rest of 99.95%, the company has found no evidence of intrusion. There is also no evidence of unauthorized access to financial and credit card information.
The company is working with law enforcement on the investigation into this matter.