In March 2015, Slack announced that it had been hacked the previous month, and that a central user database holding “usernames, email addresses, and one-way encrypted (‘hashed’) passwords” had been accessed. In some instances, phone numbers and Skype IDs were also exposed.
Slack said that it had “no indication that the hackers were able to decrypt stored passwords”.
At the time I questioned whether Slack had really announced the breach as speedily as it claimed (“as soon as we could confirm the details and as fast as we could type”), and criticised a lack of transparency in the company’s timeline of what had occurred.
One of my suspicions was that Slack delayed the announcement to coincide with its support of two-factor authentication, allowing users to better harden their account security but also softening the blow to the company’s image.
Many people have probably forgotten about the 2015 Slack data breach, but what we thought was an old story is now making headlines again because yesterday – over four years after the hack – the service made a new announcement.
“In response to new information about our 2015 security incident, we are resetting passwords for approximately 1% of Slack accounts.”
Slack says that in 2015 it reset the passwords for the “small number of Slack users” it confirmed had been affected by the hack. However, it has now decided to reset passwords “for all accounts that were active at the time of the 2015 incident, with the exception of accounts that use SSO or with passwords changed after March 2015.”
Slack says it decided to take this new action after it received information through its bug bounty program about potentially compromised Slack credentials. Initially the company expected the passwords to have been collected through malware attacks or users making the mistake of reusing the same password on multiple services, but an investigation determined that “the majority of compromised credentials were from accounts that logged in to Slack during the 2015 security incident.”
“We have no reason to believe that any of these accounts were compromised, but we believe that this precaution is worth any inconvenience the reset may cause. However, we do recognize that this is inconvenient for affected users, and we apologize.” said Slack in its statement.
If you’re not 100% certain about what happened during a data breach, it’s perhaps wiser to assume the worst. Slack would have been wiser – in an abundance of caution – to reset all of its users’ passwords back in March 2015.
After all, leaving it until four years later looks a little bit… slack.
PS. If you are a Slack user, be sure to set up two-factor authentication.
Slack's 4 year delayed response is another reason why we need laws, criminal prosecution, and fines that go to victims.