Slack & Hack: What You Need to Know About Collaboration Tool Security Breach
Pinterest Stumbleupon Whatsapp
Advertisement

Popular online collaboration tool Slack was breached, resulting in 500,000 email addresses and other personal account data being leaked. While passwords have remained safe, users are encouraged to take steps.

Just What Is Slack?

Slack is a collaboration tool that is essentially a collection of user-defined chatrooms that support file sharing and private messaging, Slack was launched in August 2013, and within 24 hours of launch had attracted 8000 signups. Ideal for smaller teams rather than large departments, the service also offers integration with other tools, such as Google Docs and Dropbox.

muo-security-slackhack-logo

This isn’t the sort of tool you’ll usually use around the house, but if you work in an office that needs good software for project management How To Use Slack For Project Management With These Simple Tips How To Use Slack For Project Management With These Simple Tips With Slack's clever set of features and distraction-free user interface, the platform can double up as a project management tool for you. Learn how to set it up as your online personal assistant. Read More  and want to make intra-team communication more effective Slack Makes Group Communication Faster and Easier Slack Makes Group Communication Faster and Easier Group emails can really kill productivity. It's time to put mail clients to rest and use collaboration services like newly launched Slack. Read More , whether your colleagues are grouped in an office or exist as a distributed team (also known as a virtual team, i.e. one that consists of personnel situated around the planet), then Slack is a great choice.

Slack is available in your browser and also as a mobile app for iOS and Android. Official desktop clients are available for Windows and Mac OS X, and there is also an unofficial Linux version Linux-Loving Slack Users: Here's an App For You! Linux-Loving Slack Users: Here's an App For You! Get a working Slack client for Ubuntu, complete with notifications and an independent icon. ScudCloud is the unofficial Slack client Ubuntu users have been looking for. Read More .

The Slack Security Breach

Slack may well have become a target thanks to its recent $2.76 billion market evaluation, as well as the news that 135,000 of its 500,000 users pay a fee to use the service, or have a fee paid on their behalf by an employer.

The breach occurred back in February and lasted four days. Slack told The Verge “that databases containing team message history were not accessed as part of the breach. No payment information was exposed…”

Interestingly, this isn’t the first time that Slack has been caught with its pants down, security-wise. In October 2014 a bug was reported that enabled non-logged in visitors to the site to view the names of channels (chat rooms) in use by a particular company.

So with team messages remaining confidential (something that probably saved Slack a lot of already perturbed customers) the focus of the attack was on user details, things like the email address used for signing in, and other profile information such as Slack username, phone number, profile data and Skype account name.

What About The Passwords?

Slack maintains that any leaked passwords would not be hacked by the intruders, thanks to them being “one-way encrypted (‘hashed’) passwords.”

muo-security-slackhack-laptop2

To explain further:

“We have no indication that the hackers were able to decrypt stored passwords, as Slack uses a one-way encryption technique called hashing.”

It is worth noting that Slack dealt with the matter efficiently, and didn’t release any information about the attack until they had communicated with those that were affected. So if you haven’t heard from Slack, then it is unlikely that you’re impacted.

However, the fact that those passwords are hashed does not mean that they cannot be broken, with the right tools.

Taking Steps To Secure Slack

To deal with the attack, Slack introduced two new features. The first was to give administrators a universal reset switch, thereby forcing all users under a particular team to reset their passwords. Doing so will mitigate any immediate security concerns.

muo-security-slackhack-enable2fa

Long term, however, the answer can no doubt be found in two-factor authentication What Is Two-Factor Authentication, And Why You Should Use It What Is Two-Factor Authentication, And Why You Should Use It Two-factor authentication (2FA) is a security method that requires two different ways of proving your identity. It is commonly used in everyday life. For example paying with a credit card not only requires the card,... Read More , which has also now been introduced by Slack. To activate this, you should sign into your Slack account, click your status in the lower-left corner and select Your Profile > Edit Profile. From here, switch to Settings and Expand the Two factor authentication section.

Add your current Slack password, click the Enable two factor authentication button, where you will see instructions for scanning a barcode with your chosen authenticator app (screenshots below are from Google Authenticator, but you may also use Duo for Android or iPhone, or Windows Phone Authenticator).

Next, switch to the authenticator app on your smartphone and use the account setup option to scan the barcode. A verification code will be displayed, and you’ll need to enter this in the box on the Slack website to activate two-factor authentication.

Note that ten backup codes will also be displayed, just in case you lose your smartphone. Should this happen, use a backup code to sign into Slack.

More Two Factor Authentication, Please!

Slack should be commended for their speed and efficiency in dealing with the breach, once discovered. While it occurred in February, the company’s first response was to contact the affected account holders.

It’s interesting that Slack was already planning to introduce two-factor authentication, but all this event really tells us is that 2FA should be in place already, for all online accounts. It simply makes sense, even if the whole two-factor authentication setup could be streamlined Can Two-Step Verification Be Less Irritating? Four Secret Hacks Guaranteed to Improve Security Can Two-Step Verification Be Less Irritating? Four Secret Hacks Guaranteed to Improve Security Do you want bullet-proof account security? I highly suggest enabling what's called "two-factor" authentication. Read More .

Were you affected by the Slack breach? Are you frustrated by the lack of two-factor authentication in the services you use? Let us know.

Image Credit: Axe chops firewood Via Shutterstock, Woman with laptop via PlaceItJC713

Leave a Reply

Your email address will not be published. Required fields are marked *