Slack response. Passwords reset four years after data breach

Slack response. Passwords reset four years after data breach

In March 2015, Slack announced that it had been hacked the previous month, and that a central user database holding “usernames, email addresses, and one-way encrypted (‘hashed’) passwords” had been accessed. In some instances, phone numbers and Skype IDs were also exposed.

Slack said that it had “no indication that the hackers were able to decrypt stored passwords”.

At the time I questioned whether Slack had really announced the breach as speedily as it claimed (“as soon as we could confirm the details and as fast as we could type”), and criticised a lack of transparency in the company’s timeline of what had occurred.

Sign up to our free newsletter.
Security news, advice, and tips.

One of my suspicions was that Slack delayed the announcement to coincide with its support of two-factor authentication, allowing users to better harden their account security but also softening the blow to the company’s image.

Email from Slack

Many people have probably forgotten about the 2015 Slack data breach, but what we thought was an old story is now making headlines again because yesterday – over four years after the hack – the service made a new announcement.

“In response to new information about our 2015 security incident, we are resetting passwords for approximately 1% of Slack accounts.”

Slack says that in 2015 it reset the passwords for the “small number of Slack users” it confirmed had been affected by the hack. However, it has now decided to reset passwords “for all accounts that were active at the time of the 2015 incident, with the exception of accounts that use SSO or with passwords changed after March 2015.”

Slack says it decided to take this new action after it received information through its bug bounty program about potentially compromised Slack credentials. Initially the company expected the passwords to have been collected through malware attacks or users making the mistake of reusing the same password on multiple services, but an investigation determined that “the majority of compromised credentials were from accounts that logged in to Slack during the 2015 security incident.”

“We have no reason to believe that any of these accounts were compromised, but we believe that this precaution is worth any inconvenience the reset may cause. However, we do recognize that this is inconvenient for affected users, and we apologize.” said Slack in its statement.

If you’re not 100% certain about what happened during a data breach, it’s perhaps wiser to assume the worst. Slack would have been wiser – in an abundance of caution – to reset all of its users’ passwords back in March 2015.

After all, leaving it until four years later looks a little bit… slack.

PS. If you are a Slack user, be sure to set up two-factor authentication.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Slack response. Passwords reset four years after data breach”

  1. Bayesian

    Slack's 4 year delayed response is another reason why we need laws, criminal prosecution, and fines that go to victims.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.