It seems that when you save a Jenkins job with HipChat plugin installed it copies the Global configuration settings into the job XML file. Anybody who can view job configuration or job configuration history can see the sensitive HipChat server and token information. This is a security issue and also a pain to update if you need to re-save 30+ jenkins jobs.