Some of you might remember that, back in 2015, Slack faced a security breach that saw hackers gaining access to its central user database, which included usernames, e-mail addresses, encrypted passwords and other information that the users added to their accounts such as phone numbers or Skype ID’s.
No financial data was exposed and Slack was quick to patch up the situation and enabled a two factor authentication as well as a password kill switch for the teams – this particular security measure allowed team admins to kick everyone out of a Slack room and force them to reset their passwords, whether they like it or not.
Back then, Slack said that it believed “there was no unauthorized access to any of your team data (such as messages or files)”. However, it looks like that was not the case and the breach was actually more serious than the company initially assumed.
According to Slack, the “unauthorized individuals” who have caused the 2015 breach also pushed a code into some user computers that could capture plaintext passwords in real time.
The company was contacted via its bug bounty program that some Slack credentials might have been compromised. Initially, Slack believed that it was dealing with malware or password re-use between services, as these sort of reports come around pretty often.
After they confirmed that both the email addresses and password combinations were in the green, Slack reset the passwords and contacted the affected users, explaining the situation.
After a while though, it was revealed that most of the compromised credentials belonged to the accounts that had logged in during the 2015 breach.
In order to deal with the situation, Slack decided to reset the passwords of all the accounts that were active during the incident, except for those who use SSO or who have changed their passwords after March 2015.
“We have no reason to believe that any of these accounts were compromised, but we believe that this precaution is worth any inconvenience the reset may cause.” Slack said in a blog post. “However, we do recognize that this is inconvenient for affected users, and we apologize.”
In the same blog post, Slack mentions time and again that, if you joined the service after March 2015, your account is perfectly safe and your password will not be reset. Even so if you haven’t changed your password at all since, maybe this situation is as good of a reminder as any for you to do so, just in case.