Slack has been hacked

SlackSlack, the hip and groovy business chat service that has been the darling of various technology blogs, has found itself in the unfortunate position of admitting that it has been hacked.

In a blog post, Anne Toth of Slack, has described how hackers managed to access an internal database containing customers' names, usernames, email addresses, one-way encrypted passwords, and potentially other information including Skype IDs and phone numbers.

Apparently the firm was only able to confirm the hack - which took place over four days in February - "recently".

Slack statement

We were recently able to confirm that there was unauthorized access to a Slack database storing user profile information. We have since blocked this unauthorized access and made additional changes to our technical infrastructure to prevent future incidents. We have also released two factor authentication and we strongly encourage all users to enable this security feature.

We are very aware that our service is essential to many teams. Earning your trust through the operation of a secure service will always be our highest priority. We deeply regret this incident and apologize to you, and to everyone who relies on Slack, for the inconvenience.

The lack of a clear timeline means that users are left in the dark about whether it has taken Slack a little over three weeks to notify customers that their systems have been hacked, or closer to two months.

Certainly I would be interested to hear precisely when (rather than "recently") Slack discovered it had been attacked, and whether it has deliberately delayed the announcement until it was ready to announce new security features like two-factor authentication.

Slack

The good news is that it doesn't appear that the attackers were able to access any financial or payment card information.

However, when you read Slack's FAQ about the security incident you are left with the impression that some businesses may have had their private communications via the service also snooped upon.

Slack FAQ

Q: Were my messages taken/read/accessed?
If you have not been explicitly informed by us in a separate communication that we detected suspicious activity involving your Slack account, we are very confident that there was no unauthorized access to any of your team data (such as messages or files).

SlackOf course, if Slack is admitting that some of its customers' communications might have been accessed you have to wonder what technically would have prevented the hackers from accessing other customers' messages too.

Perhaps Slack has systems in place to see what accounts and communications the hackers may have accessed, and so believes that deeper compromise is limited - but questions may still need to be asked about whether stronger security is required to prevent serious attacks happening in the future.

A statement issued by Slack to Cult of Mac appears to shed a little more light on this:

"We can not comment beyond details in the blog post about any other unauthorized activity that may have affected individual accounts. We have been in direct communication with a very small number of individual account holders and team owners, but will not be commenting publicly about these accounts. We can confirm that there was no access to databases containing message archives or other similar sensitive team data as part of this incident."

"Message archives are not encrypted on the server side (search is an important part of Slack and it is not possible to both securely encrypt messages and offer search as a feature)."

Can you trust Slack to be secure? Is it yet another case of an online service that has grown rapidly, without treating security and privacy as a top priority?

The jury is currently out. If I was a customer of Slack I would need them to work hard to rebuild my trust, and be more transparent about what occurred to reassure me that they weren't attempting to massage the breach notification for PR reasons.

Email from Slack

If you are a Slack user I would recommend that, at the very least, you remember to be careful what you share, warn your colleagues to be on the look out for phishing messages and targeted attacks (the bad guys have got your contact details now, remember?) and enable two-factor authentication as soon as possible.

Further reading: Slack's blog

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

2 Responses

  1. Coyote

    March 28, 2015 at 2:32 pm #

    "Of course, if Slack is admitting that some of its customers' communications might have been accessed you have to wonder what technically would have prevented the hackers from accessing other customers' messages too."
    Indeed. But then, just like log files are a target of attackers, so too could be this, which is why there exists remote logging (among other things, of course). So even if this exists, there is no 100% here. Besides which, they clearly were outdone and so if that is the case are they not outdone in this way, too? Who knows? No one does, not even themselves, probably.

    And now to point out the irony that most will think of immediately, but that I can't help making fun of it:

    Slack was clearly slacking, became the victim of slack, and consequently were 'hacked' … a perfect rhyme for an inexcusable crime (the crime being at both ends albeit different definitions of crime) …

  2. mike

    March 30, 2015 at 5:59 pm #

    It seems that they knew about this for a while and sat on it. I wonder if that has anything to do with the investment they have just received…

Leave a Reply