More than four years ago, attackers infiltrated Slack’s network and were able to get access to a database that stored some usernames and hashed passwords. At the time, Slack reset the passwords for what officials said were the small number of users affected. But now, the company has revealed new information about the incident and is resetting the passwords for nearly all of the accounts that were active at the time of the original compromise.
During the 2015 intrusion, the attackers not only got into that database of user information, but also were able to insert some server-side code that allowed them to intercept users’ passwords in plaintext as they typed them. The attackers had access to the Slack infrastructure for about four days, the company said at the time, and in the wake of the incident Slack not only reset the affected users’ passwords but also released two-factor authentication capability for the service. That seemed to be the end of it, but things changed recently when an external researcher contacted Slack and provided a set of potentially compromised Slack user credentials.
“We were recently contacted through our bug bounty program with information about potentially compromised Slack credentials. These types of reports are fairly routine and usually the result of malware or password re-use between services, which we believed to be the case here,” Slack said in a blog post Thursday.
“We immediately confirmed that a portion of the email addresses and password combinations were valid, reset those passwords, and explained our actions to the affected users. However, as more information became available and our investigation continued, we determined that the majority of compromised credentials were from accounts that logged in to Slack during the 2015 security incident.”
Given that the attackers were able to grab some users’ plaintext passwords as they entered them during the 2015 incident, and already had access to the usernames, it’s likely that the credentials the researcher sent to Slack were taken as part of that original incident. Although the company had already reset the passwords for the users affected four years ago, Slackon Thursday took another step.
“Today we are resetting passwords for all accounts that were active at the time of the 2015 incident, with the exception of accounts that use SSO or with passwords changed after March 2015. We have no reason to believe that any of these accounts were compromised, but we believe that this precaution is worth any inconvenience the reset may cause,” the company said.
Slack offers a 2FA option that uses a code sent to mobile devices, but organizations also have the ability to put their Slack implementations behind a single-sign on gateway as an extra layer of protection.