Slack resets passwords possibly compromised in 2015 hack

Slack reset the passwords of tens of thousands of users Thursday after learning a 2015 hack was more severe than previously thought. The move came after a tipster provided account information that Slack determined to have been compromised during the data breach four years ago.

Slack reset the passwords of every user who created an account before March 2015 and who had not changed their passwords since that time. The action affected 1% of Slack users, which likely amounts to over 100,000 people given that Slack has more than 10 million daily active users.

Hackers gained access to Slack's systems for around four days in February 2015. At the time, the company acknowledged that account information -- including usernames, phone numbers and Skype IDs -- had been compromised, but said any passwords collected were encrypted and useless to the hackers.  

The hackers also injected code to collect plain-text passwords of users who logged in during the breach. Slack did not include this information in a 2015 blog post about the data breach but mentioned that it had reset the passwords of "a very small number" of accounts after detecting suspicious activity.

Slack said Thursday that someone recently contacted them with compromised account information the company quickly confirmed was legitimate. Further investigation revealed "the majority of compromised credentials were from accounts that logged in to Slack during the 2015 security incident," the company said.

Slack is declining to answer any additional questions. In 2015, the company said it had referred the incident to law enforcement.

Slack user Carl Gottlieb said the company alerted him on June 26 that his password had been compromised. Gottlieb said the company explained that a third party had anonymously provided them with a combination of his email address and plain-text password.

Although it's not clear whether his case is related to the 2015 breach, Gottlieb told TechTarget that he had not changed his Slack password since before March 2015 and that he did not use it in connection with any other app. The password was for a "throwaway test account" he had made.

"Personally, this incident hasn't bothered me, but what is curious is the lack of information coming from Slack, and why it has taken three weeks for them to provide more details about where these breached passwords actually came from," Gottlieb said.  

Slack said it had no evidence that hackers had accessed the accounts of users whose passwords were reset Thursday. The company did not reset the passwords of the approximately 99% of Slack users who joined the app since March 2015, reset their passwords since that time, or who use a single sign-on vendor.

Immediately following the 2015 hack, Slack implemented two-factor authorization, giving users the option of requiring a text message or email to confirm login attempts from unrecognized devices. It also gave team owners a tool to instantaneously reset the passwords of all team members, forcibly ending any active sessions.

Slack's new revelations about the 2015 data breach come one week after close partner Zoom came under fire from a security researcher for its use of a potentially vulnerable web server on Mac devices.

Unlike Zoom, Slack appears to have acted quickly in response to a tip received through its bug bounty program, said Irwin Lazar, analyst at Nemertes Research.

"Obviously any time there is a security incident it will negatively impact a company's reputation," Lazar said. "However, given this was a potential issue that was reported to them through their bounty program, and at this point not one that seems to have been exploited, I don't expect any significant negative impact on them."

Slack debuted on the New York Stock Exchange in June. The company's share price was down more than 3% Thursday afternoon.