[bArray]

@troyhunt: Have you seen the latest leak by Atlassian?

I got an email on 4th April, 2017 that reads as follows:

    Hello,
    
    This weekend, our Security Intelligence Team detected an incident
    affecting HipChat.com that may have resulted in unauthorized
    access to user account information (including name, email address
    and hashed password). Atlassian ID is used to manage access to
    your HipChat.com account and other Atlassian services you use.
    The password is encryprted using bcrypt with a random salt. In
    our security investigation, we found no evidence of unauthorized
    access to financial and/or credit card information. We can also
    confirm that we have found no evidence of other Atlassian systems
    or products being affected.
    
    As an added precaution, we have reset your Atlassian ID which is
    used to access all Atlassian services, including HipChat. Please
    go to https://id.atlassian.com/login/resetpassword and enter your
    email address to trigger a password reset email for your Atlassian
    ID account. If you have been using your Atlassian ID password on
    other sites, services or online accounts, we recommend that you
    immediately change those passwords as well.
    
    Please refer to the HipChat Blog at http://blog.hipchat.com for
    additional information about this incident. We regret any
    disruption this may have caused and appreciate your immediate
    attention. If you have questions, please do not hesitate to
    contact HipChat Support via our support portal or by sending email
    directly to support@hipchat.com.
    
    – Ganesh Krishnan, Chief Security Officer

Nice of them to provide links to reset your password - anyone quick on their feet and with access to that database could have got people's passwords.

I think if you tweeted at them they would release an email list to you for updating the https://haveibeenpwned.com/ website. I imagine there's still a lot of people that are unaware that their details are out there and that their accounts are vulnerable.

[AndrewDucker]

No, they couldn't have gotten people's passwords. They could have their passwords _encrypted with a random salt_. Which is, frankly, useless.

[bArray]

They have their email and their ID, added with the knowledge they are compromised. That's enough to build a spoof password reset email and get them to type in an old/new email.

[MertsA]

Oh no! someone could send me an email confirming that I want to reset my password! Just like every other site out there that has a forgot password link.

[bArray]

They know their email and ID - so it's targeted. Without this information it is generic and easily spotted. Quoting your repository is a lot more personal and believable.

Additionally you can use the previous warning emails to really target somebody as one of the few that need "further recovery/security" steps. This is a security issue.

[ihattendorf]

hashed* with a random salt

[adrianmonk]

Are you saying that they don't check that the email address you enter is the right one? That would be bad, but I can't see how you can conclude that from the message you quoted.

[bArray]

I'm not saying that at all?

[dewey]

He has.

https://twitter.com/troyhunt/status/856603660737945601

[bArray]

Didn't see this, thanks.

I didn't get an email from the email checking website - I assume they haven't disclosed a database of emails with him.

[Globz]

I am not using HipChat but I am using Trello and now that they have been acquired by Atlassian I wonder if they linked all of Trello's accounts to an Atlassian ID?

  As an added precaution, we have reset your Atlassian ID 
  which is used to access all Atlassian services

[bArray]

Possibly, it's worth resetting to step on the side of caution. Good to occasionally rotate your passwords anyway!