Slack Started Resetting Passwords That Were Affected During the 2015 Data Breach

Slack Resets Passwords After 2015 Data Breach

Can a data breach that happened and was remedied some four years ago impact people right now? Last week, popular work collaboration and instant messaging service Slack showed us that this is indeed possible. Let's have a look at how it all played out.

The original data breach

In March 2015, Slack detected unauthorized access to its infrastructure, and after some investigation, it realized that hackers had stolen a database containing user information. The compromised data included email addresses, login credentials, as well as optional details like phone numbers and Skype IDs.

The exposed passwords had been hashed with bcrypt, and for additional protection, Slack had used unique salts which meant that the criminals didn't have much hope of exploiting this part of the database. Some more digging around revealed, however, that the crooks had also managed to inject code which intercepted plaintext passwords as users entered them.

Slack, which, according to Statista, had about half a million active users at the time, knew that the stakes were high. It analyzed the attack, identified a relatively small number of impacted users, and reset their passwords. A blog post told everybody what had happened, and Slack's development team even launched two-factor authentication about a week ahead of schedule in an effort to put people's minds at rest.

That, it seemed, was that. Then Thursday came along.

Slack receives new information that might be related to 2015's data breach

On July 18, ZDNet learned that Slack was preparing to send out some password reset emails. Nothing was official at the time, but the news outlet's information suggested that around 65 thousand users were about to have their passwords reset. ZDNet tried to get in touch with Slack's developers but received no response.

A few hours later, Slack explained what was going on. It got contacted through its bug bounty program and was given a list of login credentials that supposedly belonged to some of its users. The blog post reads that this sort of thing is more or less a regular occurrence and that the data sent through the bug bounty program often consists of login credentials that are stolen from other services and are reused on Slack. Sure enough, when the messaging application's security team analyzed some of the data, they identified a few valid passwords and immediately reset them.

Further investigation revealed, however, that "the majority" of the credentials in the compromised database belonged to accounts that were active at the time of the 2015 data breach. Slack's security people didn't specifically point out whether or not the information they were looking at had been stolen all those years ago from their backend. They decided not to take any chances, however, and they reset the passwords of about 1% of Slack's current user base. That's all accounts that were active at the time of 2015's data breach with the exception of the ones that use Single Sign-On and the ones that have changed their passwords after March 2015.

Nobody knows how much risk the impacted accounts were exposed to, but it's fair to say that Slack's security team acted out of an abundance of caution and did the right thing. For the rest of us, this particular incident can teach us how long-lasting the effects of a data breach can be on both regular users and attacked companies.

By Duran
July 23, 2019
News
English
July 23, 2019
News

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

News

Under Armour's MyFitnessPal Succumbs to Major Data Breach Exposing 150 Million User Passwords

Today's sensitive nature of personal data has us all in a frenzy to protect it to the best of our abilities. Unfortunately, the powers that be may have other plans for our personal data and choose to expose whatever... Read more

March 30, 2018
News

Canva Users Are Advised to Change Their Passwords After a Data Breach

Learning that an online service with hundreds of millions of users has found itself on the receiving end of a cyberattack is never a good thing. However, many different factors regarding the nature of the breached... Read more

May 28, 2019
News

Passwords, Addresses, and Payment Card Data Were Leaked During a Vision Direct Data Breach

Vision Direct, a large, multi-national online retailer of contact lenses, glasses, and other eyecare products recently suffered a data breach which exposed the personal information of some of its customers. This type... Read more

November 21, 2018
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.