Password reset action pushed to affected users

Mar 28, 2015 08:58 GMT  ·  By

After getting hacked recently and user profile information was exposed to an unauthorized third party, Slack improves account log-in security by adding support for two-factor authentication (2FA) and a group password reset feature.

Slack (reviewed here) is a team communication platform that has gained a lot of popularity, recently being valued at $2.76 / €2.53 billion (unofficial) following a funding round that allows raising up to $160 / €147 million.

Passwords were hashed and salted

The company discovered that, for about four days in February, its database with user profile information had been illegally accessed, putting at risk usernames, email addresses and passwords.

In some cases, additional data consisting in phone numbers and Skype ID was exposed, if users had them added to their profiles.

The precautions enforced for protecting the passwords make it unlikely that the intruder(s) managed to learn them since only their hash values were stored, which were also salted with randomly generated data.

After becoming aware of the incident, Slack initiated an investigation relying on outside expertise to learn the full extent of the breach, says Anne Toth, VP of Policy & Compliance Strategy.

It appears that suspicious activity was detected only for a small number of accounts, whose users and team owners were briefed, with passwords being reset.

New features strengthen account security

In the wake of the breach, the company decided to include two new security features for the clients, one being 2FA that adds an extra layer of protection for the log-in process.

With 2FA turned on, apart from providing the defined password for accessing the account, another security code needs to be entered, which is delivered to the phone of the user and has an expiration time.

This way, an attacker would have to also compromise the smartphone of the user, Slack profile hijacking thus becoming more difficult to attain.

The second security feature is called “Password Kill Switch” and it is intended for the administrator of the Slack group. Its purpose is to allow resetting the passwords for the entire collaboration team if suspicious activity is detected or if a password refresh is needed as part of best security practices.

Furthermore, this option also causes every member of the group to be signed out on all devices used for team communication. The option is available under the authentication tab on team settings page.

The investigation is ongoing and law enforcement has been notified. Slack users are advised to enable 2FA as soon as possible.

Data sent via Slack is protected by 256-bit AES encryption and it is sent over TLS 1.2 using the ECDHE_RSA Key Exchange Algorithm.