Yesterday a HipChat’s Chief Security Officer published a notice about last security incident. What happened and how much data the attackers got?
The problem was not with the HipChat itself but with a third-party library (probably it was Struts). What did they get?
- the whole information about the users like username, password (bcrypted) and etc
- less than 0.05% of channel’s history
We do not know yet what channels’ history was stolen. The update was released end everyone who has self-hosted HipChat alone should install it ASAP.
I have an account in HipChat. What to do?
First of all, change the password. Remember that the password should be non-alphabetical, complicated and long 🙂 Change the password on every website where you have the same password (but you do not do things like that, right?).
A good tip is to not write any sensitive information on the Internet. Every service can be compromised, every data may be stolen and you must be ready that everything you keep on the Internet may become public some day. Do you remember when tons celebs’ naked photos were stolen and published? Do you remember when CloundFlare had a fuck up and it was possible to get tons of sensitive data millions of websites?
Everything on the Internet is public or may be public in every minute.