4 years after data breach, Slack resets 100,000 users’ passwords

Roughly 100,000 Slack users are getting their password reset and will have to choose a new one.

Slack password reset

The reason? During the data breach the company suffered in 2015, the attackers have apparently not only accessed a database with user profile information and “irreversibly encrypted” passwords, but have also “inserted code that allowed them to capture plaintext passwords as they were entered by users at the time.”

What happened in 2015?

Unknown attackers gained access to a Slack database storing user profile information, including hashed and salted passwords.

At the time, Slack said that they’ve detected suspicious activity affecting “a very small number of Slack accounts.”

Those account owners were notified, some password resets forced, and Slack made available two-factor authentication and a “password kill switch” for team owners, which allows them to reset passwords and terminate active sessions of each member of their team.

At the time, the company did not mention any malicious code capturing plaintext passwords.

Why the password reset now?

On Thursday, Slack said that they received information through their bug bounty program about potentially compromised Slack credentials.

While they initially thought that they might be the result of malware or password re-use between services, they later discovered that the majority of the compromised credentials were from accounts that logged in to Slack during the 2015 security incident, and that a portion of the email addresses and password combinations were (still) valid.

“Today we are resetting passwords for all accounts that were active at the time of the 2015 incident, with the exception of accounts that use SSO or with passwords changed after March 2015,” the company decided.

“We have no reason to believe that any of these accounts were compromised, but we believe that this precaution is worth any inconvenience the reset may cause. However, we do recognize that this is inconvenient for affected users, and we apologize.”

The password reset will affect 1% of Slack’s 10 million strong userbase.