Security Experts:

Slack Resetting More User Passwords in Response to 2015 Breach

Slack announced on Thursday that it’s resetting passwords for accounts that users have not secured after the data breach suffered by the company back in 2015.

In March 2015, Slack informed users that it had detected unauthorized access to a database storing account information. The compromised database stored usernames, email addresses, hashed passwords, phone numbers and Skype IDs. The attackers also injected malicious code designed to capture plaintext passwords as they were entered by users.

After it discovered the incident, Slack reset the passwords for a “small number” of users who had been confirmed to be affected, and encouraged others to change their passwords and enable two-factor authentication.Slack responds to 2015 hack

However, Slack learned recently through its bug bounty program about some potentially compromised credentials. The credentials appeared to be obtained as a result of theft via malware or a third-party hack, and Slack sent out notifications to impacted users to inform them that their password had been reset.

Following further analysis of the compromised data, Slack determined that a majority of the usernames and passwords were actually associated with accounts that logged in to the platform during the 2015 breach.

Slack is now resetting passwords for 1% of accounts, specifically ones that were created before March 2015, and for which passwords have not been changed since and they don’t use single-sign-on (SSO). Users whose passwords are being reset will be notified.

“Today we are resetting passwords for all accounts that were active at the time of the 2015 incident, with the exception of accounts that use SSO or with passwords changed after March 2015. We have no reason to believe that any of these accounts were compromised, but we believe that this precaution is worth any inconvenience the reset may cause,” Slack said.

Users and administrators who believe their Slack accounts may have been hacked can check the access logs made available by the vendor.

Slack says it has over 10 million daily active users across more than 150 countries. These users, representing over 600,000 organizations, send over 1 billion messages every week via the platform. The company claims to have 88,000 paid customers, including more than 65 of the Fortune 100 firms.

Related: Slack Flaw Allows Hackers to Steal, Manipulate Downloads

Related: Slack Lists Cybersecurity Risks Ahead of Going Public

Related: Slack Quickly Patches Account Hijacking Flaw

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.