Flak for Slack chaps in yak app hack flap: User database whacked
Enable two-factor auth, says biz chat startup
Workplace chat app Slack, popular among West Coast startup hipsters and others, has been hacked, its makers said on Friday.
Slack policy and compliance strategy veep Anne Toth – who previously worked at Google and Yahoo! – has explained how over a four-day period in February, attackers were able to access a database containing account names, email addresses, phone numbers, Skype IDs and hashed passwords of Slack users. The biz, founded in 2013, was only able to confirm the intrusion "recently".
The Slack service allows employees to create and manage internal message boards for individual projects and departments. In addition to chats, users can share images, links and content from services such as Twitter, Skype and Google Drive.
Slack, as a startup, is based in San Francisco, has 500,000 users logging in every day, and has a $1.2bn-plus valuation. Its CEO and cofounder Stewart Butterfield also helped create Flickr back in the day.
This headline was a bit of silver lining on an otherwise hard day: "Flak for Slack chaps in yak app hack flap" 👏👏👏 http://t.co/4iZQ4sTon4— Stewart Butterfield (@stewart) March 27, 2015
No financial or payment card information was touched during the database intrusion in February, we're told. Messages and team communications are not believed to have been accessed for most users.
Toth said that while there was no indication the hackers were able to crack the hashed passwords, suspicious activity was spotted on a small number of accounts – presumably those using weak passphrases. Slack has already notified those people, and reset their passwords.
"Since the compromised system was first discovered, we have been working 24 hours a day to methodically examine, rebuild and test each component of our system to ensure it is safe," Toth said in an email to Slack customers.
"We are collaborating with outside experts to cross-check assumptions and ensure that we are meticulous in our approach. In addition we have notified law enforcement of this illegal intrusion."
For all users, a set of new security options will be offered. Slack accounts will now offer two-factor authentication through the Google Authenticator and Duo Mobile apps.
The two-factor protections will allow users to receive a one-time use code on their mobile phone to enter with other account credentials. Two-factor authentication will not be required but is highly recommended by Slack.
Additionally, Slack will be offering team leaders a "password kill switch" feature to automatically reset the passwords for every team member. The option would automatically terminate user sessions and require new a new password for every team member. ®