The workflow collaboration software Slack is in the hot seat once again for its 2015 data breach, as it only took them till July 18, 2019 (4 years) to announce that they will forcefully implement a password reset for the affected accounts. Slack developers have made the announcement in their official corporate blog site, as they highlight the affected accounts are the following:
“Today we are resetting passwords for all accounts that were active at the time of the 2015 incident, with the exception of accounts that use SSO or with passwords changed after March 2015,” said the Slack team.
- Accounts created prior to March 2015.
- Has no password change history on record.
- The accounts that were used exclusively, without the aid of single-sign-on provider such as Sign-in-with-Google or Facebook.
Slack account holders that created an account on March 2015 moving forward are not affected by the forced password change. This also includes accounts that had a password change history on record, as the company assumes the change password is enough to secure the affected accounts. Their blog page itself recalled the bad episode in 2015, when unauthorized people were able to infiltrate Slack’s internal systems, including database accessibility, which enabled the perpetrators to steal user credentials, including hashed passwords. A trojan was also planted in Slack’s internal system to serve as a data capture process for the hackers. Unfortunately, the company has not revealed if they have successfully purged the data collection malicious program within their system.
The Slack team claims that the rest of their user passwords were forcefully reset in 2015, but this year’s reset only covers a small percentage of their users that were not covered earlier. The team also promotes the use of two-factor authentication, in order to lessen the chance of someone else logs to the account due to a lost password. Slack also confirmed that they have launched their very own bounty program this year 2017, and new vulnerabilities are reported to them through via the mentioned program.
“We were recently contacted through our bug bounty program with information about potentially compromised Slack credentials. These types of reports are fairly routine and usually the result of malware or password re-use between services, which we believed to be the case here. as more information became available and our investigation continued,” explained the Slack team.
The goal of Slack is to have the forced password change uniform across the board, with the 2019 password forced reset, their entire user base is now guaranteed to have a better fighting chance to be secure. There is no indication from their database that the tiny minority of user accounts subjected to the force password change this week were affected by the 2015 data breach, but the company implements it for uniformity’s sake.
“Today, all active accounts requiring a password reset are being notified directly with instructions. For information on password resets at any time, please visit our help center: https://get.slack.help/hc/en-us/articles/201909068,” concluded Slack team.