

Atlassian HipChat was breached. Time to reset your password. - nixgeek
https://blog.hipchat.com/2015/02/01/hipchat-security-notice-and-password-reset/

======
Shank
With the number of companies that store company-confidential data in HipChat,
the real question is whether or not it was a targeted attack on specific
organizations, or if it was a general breach of access on the generic user
database.

~~~
jbish
Wondering the same. What if this was Github? What if private repos were
somehow exposed? All these team apps could expose sensitive data if
targeted/breached.

~~~
walterbell
Do companies really store sensitive code IP on public cloud sites like github,
which could be acquired at any time by a competitor?

~~~
meepmorp
I've seen passwords and other sensitive config data committed to public repos
in GitHub. I wouldn't even be slightly surprised by people keeping sensitive
IP or trade secrets there, on the assumption that if it's a private repo, it
must be safe.

~~~
josegonzalez
To clarify for others who might not see this: Where do you think sensitive
data - private keys, passwords, etc. - should be kept? For instance, when
setting up infrastructure for a company, how would you desire that data be
shared across users?

Once might have the same reservations about something like Heroku - or really
any cloud provider - given that at some point, you are pushing code to a
server that is owned by another company whose security you cannot audit.

~~~
damon_c
If you use ansible, there is a great feature called ansible-vault that allows
you to store all those sensitive bits right in the repo but encrypted and
automatically readable by ansible when needed.

