Site icon Sophos News

Slack gets hacked – rolls out two-factor authentication after user database breach

Slack says user database was hacked.Slack is the latest start-up to make a big media splash in one of the worst possible ways – by acknowledging a data breach that exposed its users to malicious hackers.

If you haven’t heard of it until now, Slack is a “team collaboration” platform that promises businesses a way to simplify communications, file-sharing, project management and more.

The San Francisco-based company announced the breach in a blog post last Friday, saying that its database of usernames, email addresses and hashed passwords was accessed over the course of four days in February.

Because the stored passwords were encrypted with a technique known as salting and hashing it’s unlikely the hackers would have been able to crack well-chosen passwords.

Phone numbers and Skype IDs also could have been swiped, if users had entered that optional information into their profiles.

Although no financial information was stolen, Slack said on its blog that the company noticed “suspicious activity” on a small number of accounts:

As part of our investigation we detected suspicious activity affecting a very small number of Slack accounts. We have notified the individual users and team owners who we believe were impacted and are sharing details with their security teams.

Precisely what “suspicious activity” means, we can’t say – but if a hacker gained access to user accounts they would have been able to see all of the account’s stored chats, or access potentially sensitive data or documents.

At the same time as its breach announcement, Slack said it has rolled out two password security features to all users and teams: two-factor authentication (2FA) and a “password kill switch” that teams can use to simultaneously reset passwords or terminate user sessions across apps on all devices.

Announcing security enhancements at the same time may have been a good way to soften the blow – affected users likely feel better about that than receiving pledges for security upgrades at a future date.

How much better the timing would have been if Slack had enabled 2FA before any data breach!

Of course, 2FA wouldn’t have done anything to improve the security of Slack’s authentication database, which shouldn’t have been accessible to hackers, with or without 2FA in place.

But a second layer of authentication makes it harder for hackers to login as you, even if they’ve hacked and cracked the password on your account.

With 2FA, an attacker needs not only a username and password to get into your account, but also an additional piece of information – typically a one-time code, unique for each login, sent to you via SMS or generated by an authenticator app on your phone.


(Audio player not working? Download to listen offline, or listen on Soundcloud.)

Slack Vice President Anne Toth told The Verge that the company was already close to releasing 2FA when the breach happened, but decided to push it out to coincide with the breach announcement, despite some “clunky-ness.”

We were about a week from release, with just a few small UI tweaks to simplify and clarify the usage experience. We have decided to release it immediately, despite the remaining bits of clunky-ness.

Welcome to the big time – You’ve been hacked

Slack joins a growing list of start-ups hit by hackers once they reach a critical mass of popularity with users and gained traction in the media and with investors.

As the New York Times noted, other blossoming start-ups that have been hacked in the past year include Twitch (which announced its own breach just days before Slack) and Kickstarter.

HipChat, a three-year-old company in the same team collaboration market-space as Slack, was also breached last month.

The timing of the data breach is bad for Slack (is the timing ever good?), coming just as it was preparing to announce a new round of funding.

According to the Wall Street Journal (registration required), Slack is about to announce an additional $160 million investment, bringing its valuation to a whopping $2.76 billion.

The start-up is headed up by co-founder and CEO Stewart Butterfield, who previously founded the photo platform Flickr.

Slack has received a ton of glowing press coverage, much of it earned on the basis of results.

In just the first year of its existence, Slack has shot from zero to 500,000 users, and the money is rolling in – with 135,000 of those users paying $6.67 a month per person, according to the Journal.

Slack’s CEO also has the bravado and cockiness that a company needs to thrive in the cut-throat, overcrowded, start-up world that is Silicon Valley.

Butterfield told Wired last August that he wants to kill office email, build a multi-billion-dollar company, and become indispensable to business the way Microsoft was in its dominating years – but a Microsoft, as Wired put it, that “you want to use.”

Yet Slack has had its struggles with data security, including a bug discovered last October that could have allowed corporate spies to view a list of a company’s chat rooms by signing up with a fake email address.

Slack’s big data breach should be a lesson that it needs to make security a top priority.

Will other start-ups take notice – before they become a target?

Image of monitor with “you got hacked” speech bubble courtesy of Shutterstock.

Exit mobile version