Slack had the database which stores user profile information accessed without authorization, and to ensure account security they have rolled out two-factor authorization for all accounts. A very small number of accounts were found to be affected by suspicious activity, and Slack has already reached out to those users.

In addition to rolling out two-factor authorization, Slack has put a "Password Kill Switch" in place for team owners. The kill switch will allow team owners to force a termination of all sessions, and require all passwords to be reset with just one button.

Get an iPhone SE with Mint Mobile service for $30/mo

The new security measures show that Slack takes this all very serious. Slack did share some information about the attack:

  • Slack maintains a central user database which includes user names, email addresses, and one-way encrypted ("hashed") passwords. In addition, this database contains information that users may have optionally added to their profiles such as phone number and Skype ID.
  • Information contained in this user database was accessible to the hackers during this incident.
  • We have no indication that the hackers were able to decrypt stored passwords, as Slack uses a one-way encryption technique called hashing.
  • Slack's hashing function is bcrypt with a randomly generated salt per-password which makes it computationally infeasible that your password could be recreated from the hashed form.
  • Our investigation, which remains ongoing, has revealed that this unauthorized access took place during a period of approximately 4 days in February.
  • No financial or payment information was accessed or compromised in this attack.

Slack urges that users enable two-factor authorization on their account, and they have laid out very simple instructions of how to do so.

Source: Slack

We may earn a commission for purchases using our links. Learn more.