We were recently able to confirm that there was unauthorized access to a slack database storing user profile information. We have since blocked this unauthorized access and made additional changes to our technical infrastructure to prevent future incidents. We hold also released two gene authentication and we strongly encourage all users to enable this security feature.
We are very aware that our service is essential to many teams. Earning your trust through the operation of a secure service will always be our highest priority. We deeply regret this incident and apologize to you, and to everyone who relies on Slack, for the inconvenience.
Here is some specific info we can part about this incident:
Slack maintains a central user database which includes user names, email addresses, and one-way encrypted (hashed) passwords. In addition, this database contains information that users may experience optionally added to their profiles such as phone number and Skype ID.
Information contained in this user database was accessible to the hackers during this incident.
We have no denotation that the hackers were able to decrypt stored passwords, as slack uses a one-way encryption technique called hashing.
Slacks hashing function is bcrypt with a randomly generated salt per-password which makes it computationally infeasible that your password could be recreated from the hashed form.
Our investigation, which remains ongoing, has revealed that this unauthorized access took put during a period of approximately 4 days in February. as soon as the evidence was uncovered, we started communication with the affected teams. The annunciation was made as soon as we could support the details and as fast as we could type.
No financial or payment info was accessed or compromised in this attack.
Since the compromised system was first discovered, we have been working 24 hours a daytime to methodically examine, rebuild and test each component of our system to ensure it is safe. We are collaborating with outside experts to cross-check assumptions and ensure that we are meticulous in our approach. In addition we have notified law enforcement of this illegal intrusion.
As piece of our investigation we detected suspicious action affecting a very small number of slack accounts. We have notified the individual users and team owners who we believe were impacted and are sharing details with their certificate teams. Unless you experience been contacted by us directly about a password reset or been advised of suspicious action in your teams account, all the information you need is in this blog post.
We are committed to continual advance of both internal security practices and development of features that assist you take control of your own and your teams certificate on Slack. in addition to the recent changes to our infrastructure, we have also just released two new features you should know about:
Two agent Authentication (2FA; also known as two step verification), which is now available for all users/teams. Detailed instructions are available on our help site and if you are signed in, you can localize it up right now on your team site. We strongly recommend that everyone utilize 2FA, both on slack and everywhere else it is available.
A Password kill Switch for team owners, which allows for both instantaneous team-wide resetting of passwords and forced ending of all user sessions for all team members (which means that everyone is signed out of your relax team in all apps on all devices). Team owners canful find this option under the authentication tab of your team settings.
For more on our security practices and policies, control https://slack.com/security. Should you get any questions, see our FAQ below or contact us at email@example.com.
Again, our most sincere apologies. We are making every effort to prevent any similar occurrence in the future.