Hip Aussie company Atlassian, which makes software development, project management and collaboration software, has had the hackers in.
The company announced, on its HipChat blog, that up to 2% of the username-and-password database was stolen from its eponymous group chat and team collaboration service.
Atlassian acquired HipChat just under three years ago.
Of course, even password breaches of just 2% of your userbase are a bad look, and there’s no way to avoid that.
After all, if hackers can get that far inside your network – right into your authentication server databases – then the next thing you know, people are asking, “What else did they make off with?”
All Atlassian knows right now about collateral data breach damage is that:
We have no evidence that any payment information was accessed.
Other silver-lining news is that:
While HipChat passwords are one-way encrypted (hashed and salted), as an added precaution we have triggered a password reset for all affected HipChat user accounts and all Atlassian services that share the same email address. If you have not received communication from us, we do not believe you were affected.
In other words, if you chose a hard-to-guess password, it sounds as though the crooks who stole the password data won’t be able to work it out with ease.
Salting and hashing
When a password is stored hashed and salted (actually, it’s better to say salted and then hashed, which more aptly describes the scrambulation process), you can’t go backwards from the database entry to the password itself.
You have to try every possible password against every user’s database entry.
You can only work forwards, because of the hash, and no two users ever share the same hash, because of the salt.
Done correctly, salting-and-hashing means there are no short-cuts.
Password cracking
Of course, the crooks don’t start at AAA...AA and go to ZZZ..ZZ for each user in turn.
They start with likely passwords, such as PASSWORD, 12346789, PASSWORD123 (you’ll fool nobody with that one!), and 1QAZ2WSX (look at a US keyboard).
They leave the random gobbledegook like HI=SAVkC-pjgq16gJ until later on.
In other words, the cheesier you choose, the sooner you get caught.
It would have been nice for Atlassian to say exactly how they’d salted-and-hashed those passwords.
There are several well-regarded techniques, such as PBKDF2, bcrypt and scrypt, for reliably adding lots of loops into the hashing phase.
Note that hashing an input over and over again doesn’t improve the cryptographic strength of the hash.
If it’s any good, then one iteration should produce an output that is as irreversible as 1,000,000 iterations; if it isn’t any good, then there is no guarantee that looping over and over will mask the weaknesses in the underlying hashing algorithm.
But repeated hashing does slow things down.
Not so much that validating an individual user’s login takes so long as to cause frustration, but long enough to increase the time needed for a cracker to try each password by a factor that puts well-chosen passwords even further out of reach.
Word on the street – or, at least, a suggestion in the comments on the HipChat blog – suggests that Atlassian used the “hash-stretching” system bcrypt; if so, this is likely to keep all but the shabbiest choices of passwords out of reach of the crooks.
(Loosely speaking, you only need to keep the crooks out until you’ve changed your password for something new.)
Breaking the bad news
The other thing I think I might have done differently, if I were the HipChat blogger given the task of breaking this bad news, would have been to leave out this bit:
We take our responsibility to protect you and your data very seriously, and we’re constantly enhancing the security of our service infrastructure to keep you and your data safe. While recent events with other large services have demonstrated this type of activity is increasing, so too is our vigilance in blocking and addressing it.
I’d prefer to skip the platitudes in favour of a straight-talking report published later on, describing what was actually done after the breach to reduce the chance of it ever happening again.
By the way, if you were one of the 2% in the “unlucky list” of plundered credentials, the crooks now have your email address as well.
Not that big of a a deal, but you might want to put yourself on heightened alert for unsolicited emails that draw some sort of unexpected connection between you and HipChat.
HOW TO PICK A PROPER PASSWORD
→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.
Jim Noyb
Everybody knows you have to salt and pepper the meat and potatoes before you hash ’em.
Martin
“It would have been nice for Atlassian to say exactly how they’d salted-and-hashed those passwords.”
To make it even easier for the hackers to figure out the exact algoritm they shall use when the brute force the hashes? NO, that would NOT have been nice!
Paul Ducklin
That doesn’t make sense. Cryptography is rarely, if ever, improved by keeping the algorithm a secret. Ideally, the algorithm is unashamedly public, has been scrutinised by experts for years, and has performance and quality that are well-defined. The security relies on how well the algorithm works and has been deployed, not on some obscurity in its mechanism.
(If you rely on the secrecy of the algorithm for the secrecy of your data, then if ever that secret is violated then *all other security bets* are off. It’s like finding a master key that opens every door in the hotel instead of pickpocketing one guy’s room key.)