Popular messaging service Slack is to reset the user passwords for thousands of customers after a historic data breach.
Around one percent of all Slack users are thought to be affected by the attack – equivalent to over 65,000 customers.
Slack, which stands for the Searchable Log of All Conversation and Knowledge, has more than 10 million daily users.
The company was recently valued at over $20bn and claims to have 10 million active daily users worldwide. Customers include 21st Century Fox, the BBC and Lyft.
The company confirmed it will reset the passwords of users it believes could be affected by the cyberattack which happened in 2015.
Slack said it was resetting the passwords after an investigation revealed that stolen credentials were being sold online. These included customer profiles, hashed passwords and some passwords in clear text.
Hackers
Hackers gained access to its user profile database four years ago and this included access to the scrambled user passwords.
The attackers were able to insert code to log passwords in plain text as they were typed.
The company became aware of the attack after being contacted recently through its bug bounty program about a list of allegedly compromised Slack account passwords.
The stolen account information was originally thought to be the result of isolated malware infections or phishing operations.
Passwords
However, after investigating, the usernames and passwords were found to have been lifted from the historic cyber-attack.
Slack was quick to reset passwords of users that were confirmed to have been impacted by the ensuing investigation.
The company now says it will be resetting passwords for another 100,000 users in response to “new information” about that hack.
Slack recently added several security upgrades, including the launch of Enterprise Key Management to give an added layer of protection. The new service will allow businesses admins full control over the encryption keys used to encrypt the files and messages within their Slack workspace.
Slack is used by businesses as it can replace email, text messaging, and instant messaging for their staff.
There are both desktop and mobile versions and users can collaborate and coordinate their work no matter whether they are in the office or remotely.
Disclosure
Slack confirmed in a recent disclosure notice that it had recently received details of potentially compromised user credentials.
“However, as more information became available and our investigation continued,” the notice explained, “we determined that the majority of compromised credentials were from accounts that logged in to Slack during the 2015 security incident.”
Slack maintains that the majority of users did not need to have their accounts reset.
The only users at risk were people who began using Slack before February of 2015 who did not reset their passwords after the cyberattack took place. And those who did not implement two-factor authentication on their accounts.
