back to article HipChat SlipChat lets hackers RipChat

IRC-for-biz HipChat says a vulnerability in a software library used by its HipChat.com service allowed hackers to access private conversations and customer account information. The ytalk-for-suits maker said on Monday an attacker was able to infiltrate a single server powering its cloud-hosted chat service, and, in the process …

  1. Comedy of Errors

    Can't reset

    The passwords have been revoked but it is currently impossible to reset them and create new ones, presumably due to the volume of requests.

    It's kinda unimpressive when they new about the vulnerability and still failed to secure themselves against it.

    Here

    https://confluence.atlassian.com/hc/hipchat-server-security-advisory-2017-03-09-877346198.html

    they said:

    "Hipchat Cloud does not have the issue described on this page."

    1. Comedy of Errors

      Re: Can't reset

      Might be more than just high volumes. From their status page (http://atlassian.statuspage.io/):

      "We are investigating ongoing problems with Atlassian account preventing users to login to Atlassian services."

      I wonder if they took down their password handling programs as a consequence of the breach? What a mess.

  2. Anonymous Coward
    Anonymous Coward

    Interestingly, they don't seem to keep a history of previous hashes, so you can set your password to back to the same password that it was before the reset.

    1. Anonymous Coward
      Anonymous Coward

      Well it's entirely your own fault if you decide to do that and then someone cracks your hash in a few years.

      1. Anonymous Coward
        Anonymous Coward

        That was my point. I tried it just to see, then immediately changed my password to a new one.

  3. John Smith 19 Gold badge
    Go

    seems like quite a professional response to me.

    Spotted a problem, advised customers, too action.

    Rather than the "A few customers were affected. It's all taken care of. Nothing to see here" BS of people like Stalk Stalk.

    For bonus points advise the library supplier of their fault.

    Not a bad performance for a breach situation.

    1. Comedy of Errors

      Re: seems like quite a professional response to me.

      Really?

      1) They knew about a vulnerability, checked their systems and incorrectly stated they were safe from it.

      2) Reset all the passwords then discovered their systems can't handle everybody requesting a new one.

      24 hours later I am still struggling to get a new password. About half the people in my company have managed it so far.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020