Slack, the company behind the popular multi-platform enterprise collaboration app of the same name, has announced that they have suffered a data breach in February.
Apparently, attackers have managed to access a Slack database storing user profile information: user names, email addresses, hashed and salted passwords, and additional optional information that users have added to their profiles (for example phone number and Skype ID).
“We have no indication that the hackers were able to decrypt stored passwords, as Slack uses a one-way encryption technique called hashing,” they explained in a blog post. “Slack’s hashing function is bcrypt with a randomly generated salt per-password which makes it computationally infeasible that your password could be recreated from the hashed form.”
“Our investigation, which remains ongoing, has revealed that this unauthorized access took place during a period of approximately 4 days in February. As soon as the evidence was uncovered, we started communication with the affected teams. The announcement was made as soon as we could confirm the details and as fast as we could type,” they added.
Luckily, the breach hasn’t resulted in the compromise of financial or payment information.
Law enforcement has been notified of the incident, and the company has been working on improving the security of its technical infrastructure.
In addition to this, users can now set up two-factor authentication for their accounts, and the company has introduced a “password kill switch” feature for team owners, which allows them to simultaneously force a password reset for all team members and terminate all user sessions for all team members.
The company said that they detected suspicious activity on a “very small” number of Slack accounts.