Popular online collaboration tool Slack was breached, resulting in 500,000 email addresses and other personal account data being leaked. While passwords have remained safe, users are encouraged to take steps.
Just What Is Slack?
Slack is a collaboration tool that is essentially a collection of user-defined chatrooms that support file sharing and private messaging, Slack was launched in August 2013, and within 24 hours of launch had attracted 8000 signups. Ideal for smaller teams rather than large departments, the service also offers integration with other tools, such as Google Docs and Dropbox.
This isn’t the sort of tool you’ll usually use around the house, but if you work in an office that needs good software for project management and want to make intra-team communication more effective, whether your colleagues are grouped in an office or exist as a distributed team (also known as a virtual team, i.e. one that consists of personnel situated around the planet), then Slack is a great choice.
Slack is available in your browser and also as a mobile app for iOS and Android. Official desktop clients are available for Windows and Mac OS X, and there is also an unofficial Linux version.
The Slack Security Breach
Slack may well have become a target thanks to its recent $2.76 billion market evaluation, as well as the news that 135,000 of its 500,000 users pay a fee to use the service, or have a fee paid on their behalf by an employer.
The breach occurred back in February and lasted four days. Slack told The Verge “that databases containing team message history were not accessed as part of the breach. No payment information was exposed…”
Interestingly, this isn’t the first time that Slack has been caught with its pants down, security-wise. In October 2014 a bug was reported that enabled non-logged in visitors to the site to view the names of channels (chat rooms) in use by a particular company.
So with team messages remaining confidential (something that probably saved Slack a lot of already perturbed customers) the focus of the attack was on user details, things like the email address used for signing in, and other profile information such as Slack username, phone number, profile data and Skype account name.
What About The Passwords?
Slack maintains that any leaked passwords would not be hacked by the intruders, thanks to them being “one-way encrypted (‘hashed’) passwords.”
To explain further:
“We have no indication that the hackers were able to decrypt stored passwords, as Slack uses a one-way encryption technique called hashing.”
It is worth noting that Slack dealt with the matter efficiently, and didn’t release any information about the attack until they had communicated with those that were affected. So if you haven’t heard from Slack, then it is unlikely that you’re impacted.
However, the fact that those passwords are hashed does not mean that they cannot be broken, with the right tools.
Taking Steps To Secure Slack
To deal with the attack, Slack introduced two new features. The first was to give administrators a universal reset switch, thereby forcing all users under a particular team to reset their passwords. Doing so will mitigate any immediate security concerns.
Long term, however, the answer can no doubt be found in two-factor authentication, which has also now been introduced by Slack. To activate this, you should sign into your Slack account, click your status in the lower-left corner and select Your Profile > Edit Profile. From here, switch to Settings and Expand the Two factor authentication section.
Add your current Slack password, click the Enable two factor authentication button, where you will see instructions for scanning a barcode with your chosen authenticator app (screenshots below are from Google Authenticator, but you may also use Duo for Android or iPhone, or Windows Phone Authenticator).
Next, switch to the authenticator app on your smartphone and use the account setup option to scan the barcode. A verification code will be displayed, and you’ll need to enter this in the box on the Slack website to activate two-factor authentication.
Note that ten backup codes will also be displayed, just in case you lose your smartphone. Should this happen, use a backup code to sign into Slack.
More Two Factor Authentication, Please!
Slack should be commended for their speed and efficiency in dealing with the breach, once discovered. While it occurred in February, the company’s first response was to contact the affected account holders.
It’s interesting that Slack was already planning to introduce two-factor authentication, but all this event really tells us is that 2FA should be in place already, for all online accounts. It simply makes sense, even if the whole two-factor authentication setup could be streamlined.
Were you affected by the Slack breach? Are you frustrated by the lack of two-factor authentication in the services you use? Let us know.