Slack prompts password reset to 100,000 users following the 2015 breach

Slack sweeps up after 2015 hack: compromised credentials of thousands of users reset to ensure security

Slack reset passwords of 100,000 usersSlack prompted password reset to 1% of its userbase after the bounty program revealed still-affected accounts

A popular cloud-based workspace app Slack sent out emails to 1% of its users to warn them about the necessary password reset. The action was taken due to the March 2015 security breach,[1] when unknown attackers managed to breach the company's internal servers for approximately four days.

The unauthorized access allowed threat actors to harvest users' profile details like hashed passwords, user names, and emails. Additionally, the malicious code was inserted into the official Slack site that allowed them to steal plain text passwords as soon as users entered them. In response,[2] the app maker reset all the passwords of its users who were believed to be impacted at the time and enabled the two-factor authentication support for further protection.

However, Slack recently received numerous customer credentials via its bounty program and began investigation while performing the password reset process to those affected. As it turned out, most of the credentials were related to the 2015 breach:[3]

We immediately confirmed that a portion of the email addresses and password combinations were valid, reset those passwords, and explained our actions to the affected users. However, as more information became available and our investigation continued, we determined that the majority of compromised credentials were from accounts that logged in to Slack during the 2015 security incident.

Roughly 1% of Slack's userbase affected

The bounty program[4] is released by Sack for independent security researchers and enthusiasts to find loopholes in its security procedures or locate the compromised data on the underground forums. As soon as such compromise is spotted and reported to the organization, the ethical hacker receives a payout. Many corporations engage in such practice, as it is a win-win situation for both parties.

In such a way, Slack obtained a bunch of credentials that related to its users. Initially, it was thought that the compromise was due to passwords that were reused for multiple accounts of data-stealing malware that users were infected with. While analyzing the credentials of the affected users, the company soon noticed that they are indeed related to the 2015 hack.

Further investigation showed that it is mainly users who use poor security practices that were impacted:

  • those who created their account before 2015;
  • never reset passwords since the account creation;
  • do not log in via the single-sign-on (SOO) provider

Based on these criteria, Slack determined that only 65,000 of the userbase is affected by this issue. Nevertheless, Slack decided to reset passwords of all users who were active during the breach period in 2015, which came close to a total of 1% of customers – approximately 100,000 users.

Use adequate security measures to protect your accounts from compromise

Unfortunately, but data breaches are a quite common occurrence. Just by looking at recent security news, one can notice multiple data compromise incidents – be it leaky AWS S3 buckets,[5] poorly secured internal networks or inadequate protection of personally identifiable information.

The frequent incidents prove that users who expose sensitive information to multiple corporations are not in control of their own data security. Thus, users end up with compromised credit scores, lost money, or even get their identity stolen.

While there is not much you can do when it comes to the ways how companies protect your data, you can ensure that the account is secured with two-factor authentication feature. Additionally, using complex passwords that are frequently changed and NEVER reused increases the security of accounts by a great margin.

If you were impacted by Slack's 2015 data breach and received an email from the provider, make sure you check your access logs within the application to see what IPs were used to access your account.

About the author
Lucia Danes
Lucia Danes - Virus researcher

Lucia is a News Editor for 2spyware. She has a long experience working in malware and technology fields.

Contact Lucia Danes
About the company Esolutions