Slack Passwords Stolen – Time for a Reset

Slack resets passwords following 2015 security breach

2
Slack Password reset
Collaboration

Published: July 26, 2019

Rebekah Carter - Writer

Rebekah Carter

Slack, the company that initially introduced the world to collaboration tools as we know them today, recently announced that it would be resetting thousands of passwords for some of its users. The decision to reset passwords has been made after new information came to light about a security breach that happened all the way back in 2015!

According to Slack, anyone currently using the software that created their account before this date and haven’t changed their passwords since will potentially have their password reset automatically. According to Slack, only 1% of its users overall will require a security update – which equates to about 65,000 users overall.

The 2015 Password Hack

Slack announced that it had chosen to start resetting passwords in a disclosure notice posted on the 18th of July this year. According to the document, Slack has recently revealed details of possibly compromised user credentials, sent through it’s “bug bounty” program. This program essentially asks the hacker community to “do their worst” on the Slack platform and see whether they can access any personal details or data.

The company linked the issues outlined in the Bug Bounty report to a hack that had occurred back in 2015, where hackers had been able to insert code for keylogging into the software. This code meant that the hackers could potentially read user passwords when they entered them. The hackers also had access to lists of usernames and hashed passwords too.

The discovery has led to the passwords for all of the user accounts active during the time of this breach is instantly reset. However, you won’t have had your password reset if you use a single sign-on solution, or you already changed your password sometime after March 2015.

What is Slack Doing About the Hack?

The Slack team announced that they don’t believe that any of the accounts active at the time of the hack were compromised. However, they think that it’s better to be safe than sorry, which is why they’re notifying all affected users directly if they might have been exposed by the attack. Slack also outlined that they have not seen any further breaches to their infrastructure since the invasion in 2015. At the time of the original 2015 hack, Slack was also introducing two-factor authentication for the first time.

During this period, Slack added a password kill-switch for administrators who wanted to force channel-wide password resets for all team members. The 2-factor authentication offering has been recommended by Slack for all users in light of the recent information. Slack also suggests that all users make sure that their antivirus and computer software is up to date, as well as creating passwords that are entirely unique for every service or software they use.

 

Featured

Share This Post