Slack attack – popular workplace messaging service hacked

Slack, the popular team messaging tool, has announced that it suffered a “security incident” in February in which user information was accessed by hackers, and that it detected “suspicious activity” in a number of Slack accounts.

Slack’s homepage currently directs visitors to its blog for “an important security update”, which provides the following details about “unauthorized access to a Slack database storing user profile information”:

  • “Slack maintains a central user database which includes user names, email addresses, and one-way encrypted (“hashed”) passwords. In addition, this database contains information that users may have optionally added to their profiles such as phone number and Skype ID.
  • “Information contained in this user database was accessible to the hackers during this incident.
  • “We have no indication that the hackers were able to decrypt stored passwords, as Slack uses a one-way encryption technique called hashing.
  • “Slack’s hashing function is bcrypt with a randomly generated salt per-password which makes it computationally infeasible that your password could be recreated from the hashed form.
  • “Our investigation, which remains ongoing, has revealed that this unauthorized access took place during a period of approximately 4 days in February. As soon as the evidence was uncovered, we started communication with the affected teams. The announcement was made as soon as we could confirm the details and as fast as we could type.
  • “No financial or payment information was accessed or compromised in this attack.”

In the same blog, Slack announced the introduction of a two-factor authentication process, which it encouraged users to enable, and later the same day announced that mobile users would be forcibly signed out of their accounts as a security measure.

Two-Factor Authentication

Released on 5 May, ITGP’s new publication, Two-Factor Authentication, provides a comprehensive evaluation of secondary authentication methods, including one-time password generation, geolocation-aware authentication, biometric authentication, and others. It also discusses the wider application of two-factor authentication, and its future use, particularly relating to the Internet of Things (IoT).

However strong a password is, if it’s lost or stolen, it’s entirely useless at keeping information private: increasing its strength will do nothing to protect you from online hacking, phishing attacks or corporate data breaches. If you’re concerned about the security of your personal and financial data, you need to read this book.

Two-Factor Authentication is available to pre-order from IT Governance here >>