In a blog post, Anne Toth of Slack, has described how hackers managed to access an internal database containing customers’ names, usernames, email addresses, one-way encrypted passwords, and potentially other information including Skype IDs and phone numbers.
Apparently the firm was only able to confirm the hack – which took place over four days in February – “recently”.
We were recently able to confirm that there was unauthorized access to a Slack database storing user profile information. We have since blocked this unauthorized access and made additional changes to our technical infrastructure to prevent future incidents. We have also released two factor authentication and we strongly encourage all users to enable this security feature.
We are very aware that our service is essential to many teams. Earning your trust through the operation of a secure service will always be our highest priority. We deeply regret this incident and apologize to you, and to everyone who relies on Slack, for the inconvenience.
The lack of a clear timeline means that users are left in the dark about whether it has taken Slack a little over three weeks to notify customers that their systems have been hacked, or closer to two months.
Certainly I would be interested to hear precisely when (rather than “recently”) Slack discovered it had been attacked, and whether it has deliberately delayed the announcement until it was ready to announce new security features like two-factor authentication.
The good news is that it doesn’t appear that the attackers were able to access any financial or payment card information.
However, when you read Slack’s FAQ about the security incident you are left with the impression that some businesses may have had their private communications via the service also snooped upon.
Q: Were my messages taken/read/accessed?
If you have not been explicitly informed by us in a separate communication that we detected suspicious activity involving your Slack account, we are very confident that there was no unauthorized access to any of your team data (such as messages or files).
Perhaps Slack has systems in place to see what accounts and communications the hackers may have accessed, and so believes that deeper compromise is limited – but questions may still need to be asked about whether stronger security is required to prevent serious attacks happening in the future.
A statement issued by Slack to Cult of Mac appears to shed a little more light on this:
“We can not comment beyond details in the blog post about any other unauthorized activity that may have affected individual accounts. We have been in direct communication with a very small number of individual account holders and team owners, but will not be commenting publicly about these accounts. We can confirm that there was no access to databases containing message archives or other similar sensitive team data as part of this incident.”
“Message archives are not encrypted on the server side (search is an important part of Slack and it is not possible to both securely encrypt messages and offer search as a feature).”
Can you trust Slack to be secure? Is it yet another case of an online service that has grown rapidly, without treating security and privacy as a top priority?
The jury is currently out. If I was a customer of Slack I would need them to work hard to rebuild my trust, and be more transparent about what occurred to reassure me that they weren’t attempting to massage the breach notification for PR reasons.
If you are a Slack user I would recommend that, at the very least, you remember to be careful what you share, warn your colleagues to be on the look out for phishing messages and targeted attacks (the bad guys have got your contact details now, remember?) and enable two-factor authentication as soon as possible.
Further reading: Slack’s blog
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.