back to article HipChat SlipChat lets hackers RipChat

IRC-for-biz HipChat says a vulnerability in a software library used by its HipChat.com service allowed hackers to access private conversations and customer account information. The ytalk-for-suits maker said on Monday an attacker was able to infiltrate a single server powering its cloud-hosted chat service, and, in the process …

Can't reset

The passwords have been revoked but it is currently impossible to reset them and create new ones, presumably due to the volume of requests.

It's kinda unimpressive when they new about the vulnerability and still failed to secure themselves against it.

Here

https://confluence.atlassian.com/hc/hipchat-server-security-advisory-2017-03-09-877346198.html

they said:

"Hipchat Cloud does not have the issue described on this page."

0
0

Re: Can't reset

Might be more than just high volumes. From their status page (http://atlassian.statuspage.io/):

"We are investigating ongoing problems with Atlassian account preventing users to login to Atlassian services."

I wonder if they took down their password handling programs as a consequence of the breach? What a mess.

0
0
Anonymous Coward

Interestingly, they don't seem to keep a history of previous hashes, so you can set your password to back to the same password that it was before the reset.

0
0
Anonymous Coward

Well it's entirely your own fault if you decide to do that and then someone cracks your hash in a few years.

1
0
Anonymous Coward

That was my point. I tried it just to see, then immediately changed my password to a new one.

0
0
Gold badge
Go

seems like quite a professional response to me.

Spotted a problem, advised customers, too action.

Rather than the "A few customers were affected. It's all taken care of. Nothing to see here" BS of people like Stalk Stalk.

For bonus points advise the library supplier of their fault.

Not a bad performance for a breach situation.

0
0

Re: seems like quite a professional response to me.

Really?

1) They knew about a vulnerability, checked their systems and incorrectly stated they were safe from it.

2) Reset all the passwords then discovered their systems can't handle everybody requesting a new one.

24 hours later I am still struggling to get a new password. About half the people in my company have managed it so far.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018