Slack resetting passwords for roughly 1% of its users

Pierluigi Paganini July 19, 2019

Slack is resetting passwords for accounts belonging to users that have not secured them after the data breach suffered by the company in 2015.

Slack announced it is resetting passwords for accounts belonging to users that have not secured them after the data breach suffered by the company in 2015.

Slack Enterprise Key Management

“In response to new information about our 2015 security incident (explained here at the time), we are resetting passwords for approximately 1% of Slack accounts.” reads the announcement published by the company.

“This announcement affects you only if you

  • created your account before March 2015,
  • AND have not changed your password since,
  • AND your account does not require logging in via a single-sign-on (SSO) provider.

In March 2015, Slack detected unauthorized access to a database containing details of users’ accounts, including usernames, email addresses, hashed passwords, phone numbers and Skype IDs.

The hackers also injected malicious code in the systems of the company to steal plaintext passwords as they were entered by Slack users. No financial or payment information was accessed or compromised in this attack.

Immediately after the discovery of the data breach, Slack reset the passwords for a limited number of users impacted by the incident. The company also recommended remaining users to change the password and enable 2FA.

Recently Slack discovered through its bug bounty program that credentials of other users might have been compromised. According to the company, attackers could have obtained them via malware or a third-party hack.

“We were recently contacted through our bug bounty program with information about potentially compromised Slack credentials. These types of reports are fairly routine and usually the result of malware or password re-use between services, which we believed to be the case here.” continues the announcement. “We immediately confirmed that a portion of the email addresses and password combinations were valid, reset those passwords, and explained our actions to the affected users.”

Slack has reset the passwords of these users and sent them notifications.

“We were recently notified that your sign-in credentials (email address and password) for your xxxxx account on xxxxxx.slack.com were discovered as being in the possession of an unauthorized individual.” reads the notification. “This may be the result of malware installed on a computer you’ve used to sign in to Slack or your credentials being reused from a previous breach of a third party, such as those listed on sites like haveibeenpwned.com.”

Slack is still investigating the latest incident and will share more information after it will be completed.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment