Enterprise and small business collaboration provider Slack today disclosed that a database storing user profile information has been compromised. The company said in a notice posted on its site that the unauthorized access has been blocked, and that it has implemented two-factor authentication moving forward, urging its users to take advantage of it.
“We are very aware that our service is essential to many teams. Earning your trust through the operation of a secure service will always be our highest priority,” said Anne Toth, vice president of policy and compliance strategy. “We deeply regret this incident and apologize to you, and to everyone who relies on Slack, for the inconvenience.”
Slack’s disclosure notice provides a thorough breakdown of the breach, security in measures in place that lessened the severity of the break-in, and the introduction of not only two-factor authentication but also of a password kill-switch that allows admins to force a password reset for internal Slack users.
The notice was cheered on social media by a number of security experts:
— Leigh Honeywell (@hypatiadotca) March 27, 2015
— Rich Mogull (@rmogull) March 27, 2015
Glad to see that @SlackHQ was using bcrypt.
— Frank Denis (@jedisct1) March 27, 2015
Slack said the intrusion took place during a four-day period in February and that it has noticed some suspicious activity on a small number of accounts; the affected individuals and organizations have been notified.
The user database in question contains usernames, email addresses and hashed passwords. Users have the option of adding information to their profiles, such as a mobile number or Skype ID; that information was also exposed, Slack said. The same cannot be said for the encrypted passwords, the company said.
“We have no indication that the hackers were able to decrypt stored passwords, as Slack uses a one-way encryption technique called hashing,” Toth explained. “Slack’s hashing function is bcrypt with a randomly generated salt per-password which makes it computationally infeasible that your password could be recreated from the hashed form.”
Bcrypt is a hash function that has been around since 1999.
Toth said the investigation is ongoing and no financial or payment data was involved in the breach. The company did not give any indication of how the attackers got into Slack’s network.
“Since the compromised system was first discovered, we have been working 24 hours a day to methodically examine, rebuild and test each component of our system to ensure it is safe,” Toth said. “We are collaborating with outside experts to cross-check assumptions and ensure that we are meticulous in our approach. In addition we have notified law enforcement of this illegal intrusion.”