A place for all things security.

Collaboration tool Slack was hacked, here’s how to protect yourself

Apr 6, 2015 // Andrew Stroup

The popular team collaboration and group chat tool Slack was recently hacked, leaking over 50,000 emails and other personal account information. Fortunately, the passwords weren’t compromised, but additional security precautions were recommended to further protect user data.

Slack is a collaboration tool that is a collection of user-defined chatrooms that support file sharing and private messaging, Slack was launched in August 2013, and within 24 hours of launch had attracted 8000 signups. Ideal for smaller teams rather than large departments, the service also offers integration with other tools, such as Google Docs and Dropbox.

The breach occurred back in February and lasted four days. Slack told The Verge “that databases containing team message history were not accessed as part of the breach. No payment information was exposed…”

In October 2014 a bug was reported that enabled non-logged in visitors to the site to view the names of channels (chat rooms) in use by a particular company. So with team messages remaining confidential (something that probably saved Slack a lot of already perturbed customers) the focus of the attack was on user details, things like the [email][1] address used for signing in, and other profile information such as Slack username, phone number, profile data and Skype account name.

Slack maintains that any leaked passwords would not be hacked by the intruders, thanks to them being “one-way encrypted (‘hashed’) passwords.”

To explain further:

“We have no indication that the hackers were able to decrypt stored passwords, as Slack uses a one-way encryption technique called hashing.”

It is worth noting that Slack dealt with the matter efficiently, and didn’t release any information about the attack until they had communicated with those that were affected. So if you haven’t heard from Slack, then it is unlikely that you’re impacted. However, the fact that those passwords are hashed does not mean that they cannot be broken, with the right tools.

To deal with the attack, Slack introduced two new features. The first was to give administrators a universal reset switch, thereby forcing all users under a particular team to reset their passwords. Doing so will mitigate any immediate security concerns. Long term, however, the answer can no doubt be found in two-factor authentication, which has also now been introduced by Slack. To activate this, you should sign into your Slack account, click your status in the lower-left corner and select Your Profile > Edit Profile. From here, switch to Settings and Expand the Two factor authentication section.

Ultimately, this attack continues to reinforce that it’s not a matter of if, but when a company’s security becomes compromise, which shifts the focus on only protection, but also includes mitigation through strong security practices.