Atlassian HipChat breach prompts mass password reset

User account information, including name, email address and hashed password, could have been compromised

An attack on a third-party library affecting Atlassian’s HipChat team chat platform that may have seen users’ information compromised has prompted a mass password reset for the company’s services.

Atlassian’s chief security officer, Ganesh Krishan, sent an email to users on 25 April, revealing that the company’s security intelligence team had detected an incident affecting the platform.

The incident may have resulted in unauthorised access to some user account information, including name, email address and hashed password.

According to a blog post published by Krishan on 24 April, the incident involved a vulnerability in a popular third-party library used by

“In our security investigation, we found no evidence of unauthorised access to financial and/or credit card information,” Krishan said. “We can also confirm that we have found no evidence of other Atlassian systems or products being affected.”

However, the company conceded that the platform’s room metadata (including room name and room topic) may have also been accessed.

“For a small number of instances (less than 0.05 per cent), messages and content in rooms may have been accessed,” Krishan said. “We are contacting and will work closely with these customers.

“For the vast majority of instances (more than 99.95 per cent), we have found no evidence that messages or content in rooms have been accessed,” he said.

The company said that, as a precaution, it had invalidated passwords on all HipChat-connected user accounts and sent users instructions on how to reset their password.

As an added precaution, the company also reset users’ Atlassian ID, which is used to access all Atlassian services, including HipChat.

“If you have been using your Atlassian ID password on other sites, services or online accounts, we recommend that you immediately change those passwords as well,” Krishan sauid.

While HipChat Server uses the same third-party library that was compromised, it is generally deployed in a way that is expected to minimise the risk of the type of attack resulting in this particular incident, according to Krishan.

“We are preparing an update for HipChat Server that will be shared with customers directly through the standard update channel,” he said. “We are confident we have isolated the affected systems and closed any unauthorised access.

“This is an ongoing investigation and Atlassian is actively working with law enforcement authorities on the investigation of this matter,” he said.