If your organization uses Slack, there’s a chance a hacker got a peek at some sensitive info recently. The fast-growing enterprise chat startup confirmed today that its database was breached in February and that the intruder had access to the names, email addresses, and encrypted passwords of Slack users.
But the coast, Slack assures is customers, is clear. You can keep chatting away.
The four-day breach has since been patched, and in response to the incident, Slack has added two-factor authentication to beef up security. The feature, reportedly already being built, was fast-tracked once the team learned of this latest breach.
In a blog post, Slack assured users that no financial information was accessed, only the names and contact info about a small group of users.
Since the compromised system was first discovered, we have been working 24 hours a day to methodically examine, rebuild and test each component of our system to ensure it is safe. We are collaborating with outside experts to cross-check assumptions and ensure that we are meticulous in our approach. In addition we have notified law enforcement of this illegal intrusion.
As part of our investigation we detected suspicious activity affecting a very small number of Slack accounts. We have notified the individual users and team owners who we believe were impacted and are sharing details with their security teams. Unless you have been contacted by us directly about a password reset or been advised of suspicious activity in your team’s account, all the information you need is in this blog post.
The most concerning part of the breach–and the reason two-factor authentication makes for a logical response–is the fact that passwords were included in the data that was accessed. These passwords were encrypted using a common method known as hashing, so it’s unlikely that the hackers were able to decrypt them and access any user accounts, although it’s not impossible.
As alarming as the hack may seem, it could have been much worse. The breadth of the data Slack is sitting on in general is pretty valuable, from financial credentials to the contents of discussions held across entire organizations. If a hacker got into the Fast Company Slack, for example, they could pass along future editorial plans and business details to our competitors–or simply try to embarrass us by publishing our frequent all-emoji conversations.
Two-factor authentication–requiring users to identify themselves using two different components–is a common way for services to secure themselves against third-party exploits, such as the one that famously ruined tech writer Mat Honan’s day in a big way. It’s an all-around sensible approach to safeguarding user security–at least until we can unlock all of our devices and apps using our fingerprints and faces–but in this case, two-factor authentication wouldn’t have necessarily prevented this sort of breach.
That would require a different approach to engineering how the data itself is stored. One option, says former Stanford University professor Elizabeth Stark, is for apps like Slack to decentralize their data.
“When data can be stored locally on a user’s device and used to authenticate without having to be stored in a centralized repository, we no longer have the possibility of millions of users’ personal information being compromised,” says Stark. “Two-factor auth doesn’t really help with this.”
Slack is an endlessly buzzed-about startup created by Flickr cofounder Stewart Butterfield in the fall of 2013. Since its launch, Slack has exploded, amassing over 500,000 users at a growing list of companies, including tech giants like Apple, Google, Facebook, and Amazon.
This isn’t the first time Slack has dealt with a security exploit. In October of last year, a bug exposed each organization’s list of chat rooms–which can include potentially confidential insights–to anyone willing to poke around a given company’s sign-in screen.
With today’s news, Slack obviously aims to make security breaches of all kinds far less likely.