Slack Started Resetting Passwords That Were Affected During the 2015 Data Breach
Can a data breach that happened and was remedied some four years ago impact people right now? Last week, popular work collaboration and instant messaging service Slack showed us that this is indeed possible. Let's have a look at how it all played out.
The original data breach
In March 2015, Slack detected unauthorized access to its infrastructure, and after some investigation, it realized that hackers had stolen a database containing user information. The compromised data included email addresses, login credentials, as well as optional details like phone numbers and Skype IDs.
The exposed passwords had been hashed with bcrypt, and for additional protection, Slack had used unique salts which meant that the criminals didn't have much hope of exploiting this part of the database. Some more digging around revealed, however, that the crooks had also managed to inject code which intercepted plaintext passwords as users entered them.
Slack, which, according to Statista, had about half a million active users at the time, knew that the stakes were high. It analyzed the attack, identified a relatively small number of impacted users, and reset their passwords. A blog post told everybody what had happened, and Slack's development team even launched two-factor authentication about a week ahead of schedule in an effort to put people's minds at rest.
That, it seemed, was that. Then Thursday came along.
Slack receives new information that might be related to 2015's data breach
On July 18, ZDNet learned that Slack was preparing to send out some password reset emails. Nothing was official at the time, but the news outlet's information suggested that around 65 thousand users were about to have their passwords reset. ZDNet tried to get in touch with Slack's developers but received no response.
A few hours later, Slack explained what was going on. It got contacted through its bug bounty program and was given a list of login credentials that supposedly belonged to some of its users. The blog post reads that this sort of thing is more or less a regular occurrence and that the data sent through the bug bounty program often consists of login credentials that are stolen from other services and are reused on Slack. Sure enough, when the messaging application's security team analyzed some of the data, they identified a few valid passwords and immediately reset them.
Further investigation revealed, however, that "the majority" of the credentials in the compromised database belonged to accounts that were active at the time of the 2015 data breach. Slack's security people didn't specifically point out whether or not the information they were looking at had been stolen all those years ago from their backend. They decided not to take any chances, however, and they reset the passwords of about 1% of Slack's current user base. That's all accounts that were active at the time of 2015's data breach with the exception of the ones that use Single Sign-On and the ones that have changed their passwords after March 2015.
Nobody knows how much risk the impacted accounts were exposed to, but it's fair to say that Slack's security team acted out of an abundance of caution and did the right thing. For the rest of us, this particular incident can teach us how long-lasting the effects of a data breach can be on both regular users and attacked companies.