Popular San Francisco based group chat tool Slack has admitted that it sustained a major security breach for four days last month (February 2015). The unified communications and enterprise software startup admitted that its central user database was accessible to hackers during those four days.
Founded by Flickr veterans in 2013, the chat app has become a huge hit within a very short period. It now boasts of more than half a million daily users.
The hack, fears the company, could potentially compromise users’ profile information like log-on data, email addresses and one way encrypted passwords. Hackers also might have got through to any additional information which the users might have added to their profiles like their phone numbers, Skype Ids, etc.
In a blog post, Anne Toth, vice president of policy and compliance strategy at Slack, explained that the hackers had encrypted passwords using a hashing technique and there were no reasons to believe that they were able to decrypt the passwords. She went on to reassure their users by adding that no financial or payment information was accessed or compromised during the attack.
Additionally, she also assured the site users that the company had taken the security breach very seriously and taken adequate steps to prevent any such incidents in the future.
Though Slack did not specify the number of users it thinks may have been affected by this breach, they mentioned contacting a “very small number” of individual users who had suspicious activity tied to their accounts, or whose messages may have been accessed. A company spokeswoman declined to comment further.
For all those who have not been contacted by the company personally, they have published some security tips in addition to introducing a two-factor authentication. Once enabled, site users will have to enter a verification code in addition to their password each time they sign in to Slack, while strongly urging all existing and new members to enable it.
Besides that, Slack has also introduced a password-kill switch, allowing team owners and administrators to reset passwords for an entire team at once.
