Slack response. Passwords reset four years after data breach

Graham Cluley

Slack response. Passwords reset four years after data breach

Slack response. Passwords reset four years after data breach

In March 2015, Slack announced that it had been hacked the previous month, and that a central user database holding “usernames, email addresses, and one-way encrypted (‘hashed’) passwords” had been accessed. In some instances, phone numbers and Skype IDs were also exposed.

Slack said that it had “no indication that the hackers were able to decrypt stored passwords”.

At the time I questioned whether Slack had really announced the breach as speedily as it claimed (“as soon as we could confirm the details and as fast as we could type”), and criticised a lack of transparency in the company’s timeline of what had occurred.

One of my suspicions was that Slack delayed the announcement to coincide with its support of two-factor authentication, allowing users to better harden their account security but also softening the blow to the company’s image.

Email from Slack

Many people have probably forgotten about the 2015 Slack data breach, but what we thought was an old story is now making headlines again because yesterday – over four years after the hack – the service made a new announcement.

“In response to new information about our 2015 security incident, we are resetting passwords for approximately 1% of Slack accounts.”

Slack says that in 2015 it reset the passwords for the “small number of Slack users” it confirmed had been affected by the hack. However, it has now decided to reset passwords “for all accounts that were active at the time of the 2015 incident, with the exception of accounts that use SSO or with passwords changed after March 2015.”

Slack says it decided to take this new action after it received information through its bug bounty program about potentially compromised Slack credentials. Initially the company expected the passwords to have been collected through malware attacks or users making the mistake of reusing the same password on multiple services, but an investigation determined that “the majority of compromised credentials were from accounts that logged in to Slack during the 2015 security incident.”

“We have no reason to believe that any of these accounts were compromised, but we believe that this precaution is worth any inconvenience the reset may cause. However, we do recognize that this is inconvenient for affected users, and we apologize.” said Slack in its statement.

If you’re not 100% certain about what happened during a data breach, it’s perhaps wiser to assume the worst. Slack would have been wiser – in an abundance of caution – to reset all of its users’ passwords back in March 2015.

After all, leaving it until four years later looks a little bit… slack.

PS. If you are a Slack user, be sure to set up two-factor authentication.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One Reply to “Slack response. Passwords reset four years after data breach”

  1. Slack's 4 year delayed response is another reason why we need laws, criminal prosecution, and fines that go to victims.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.