- In 2015, attackers had gained access to some of the Slack’s infrastructures including a database.
- The database was used to store user profile information such as their usernames and hashed passwords.
Slack is resetting passwords of approximately 1% of its users whose accounts were created before March 2015. The development comes to the light after the firm found new details about the 2015 data breach.
According to the information shared by Slack, in 2015, attackers had gained access to some of its infrastructures including a database. The database was used to store user profile information such as their usernames and hashed passwords.
The attackers had used malicious code to steal the stored plaintext passwords as well as the passwords that were entered by users at the time.
Upon discovery, the firm had immediately thwarted the attack by resetting passwords for a small number of its users. It had also asked its other users to change their passwords to secure their accounts.
“We also encouraged all users to reset their passwords and immediately implemented corrective and preventive security measures, including two-factor authentication. We have not detected any compromise of our infrastructure since this 2015 incident, which affected Slack and a handful of other companies,” read Slack’s notification.
What is the new update?
Slack said it was recently contacted by a bug bounty program about a list of allegedly compromised Slack account passwords. It was found that a majority of compromised credentials were from accounts that logged into Slack during the 2015 security incident.
The password reset applies to the users who:
- Created accounts before March 2015;
- Have not changed their passwords since March 2015;
- Didn’t login via an SSO provider.
“In other words, if you’re one of the approximately 99% who joined Slack after March 2015 or changed your password since then, this announcement does not apply to you,” added Slack.
Slack has urged its users to use two-factor authentication to secure their accounts. The users should also keep their computer software and antivirus up to date. They should create new and unique passwords for every service.