Team communication digital platform Slack has revealed that there had been “an unauthorized access” to its database storing user profile information in early Feb this year, but for now, had no information on whether user passwords were compromised.
The announcement was made on the official Slack blog. “We have since blocked this unauthorized access and made additional changes to our technical infrastructure to prevent future incidents. We have also released two factor authentication and we strongly encourage all users to enable this security feature,” said the Slack team.
The Slack team has shared details of the incident:
Slack maintains a central user database which includes user names, email addresses, and one-way encrypted (“hashed”) passwords. In addition, this database contains information that users may have optionally added to their profiles such as phone number and Skype ID. Information contained in this user database was accessible to the hackers during this incident.
We have no indication that the hackers were able to decrypt stored passwords, as Slack uses a one-way encryption technique called hashing. Slack’s hashing function is bcrypt with a randomly generated salt per-password which makes it computationally infeasible that your password could be recreated from the hashed form.
Our investigation, which remains ongoing, has revealed that this unauthorized access took place during a period of approximately 4 days in February. As soon as the evidence was uncovered, we started communication with the affected teams. The announcement was made as soon as we could confirm the details and as fast as we could type.
No financial or payment information was accessed or compromised in this attack.
The Slack management further said since the compromised system was 1st discovered, it had been working 24X7 to methodically examine, rebuild & test each component of the system to ensure it was safe. It was also collaborating with outside experts to cross-check assumptions, & also notified law enforcement of this illegal intrusion.
As part of its investigation, it had detected suspicious activity affecting a very small number of Slack accounts. Security teams of such individual users & team owners had been given details about it. “Unless you have been contacted by us directly about a password reset or been advised of suspicious activity in your team’s account, all the information you need is in this blog post.”
In addition, Slack would have also just released 2 features:
Two Factor Authentication, which is now available for all users/teams.
A “Password Kill Switch” for team owners, which allows for both instantaneous team-wide resetting of passwords & forced termination of all user sessions for all team members. Team owners can find this option under the authentication tab of their team settings.
Image Credit: Slack
Share This
