The buzzy collaboration platform Slack has blown up over the last year, with half a million daily users and a $2.8 billion valuation. Now it’s just hit a different milestone for budding startups: Getting humiliated by hackers who defeated its not-quite-ready-for-primetime security protections.
On Friday Slack announced on its corporate blog that it was hacked over the course of four days in February, and that some number of users’ data was compromised. That data included email addresses, usernames, encrypted passwords, and, in some cases, phone numbers and Skype IDs that users had associated with their accounts. The company claims that its passwords were sufficiently scrambled to be unreadable to hackers, but it also admits that it detected “suspicious activity” on a “small number” of Slack user accounts, implying that users’ communications were in at least some cases fully accessed by the intruders.
“We are very aware that our service is essential to many teams. Earning your trust through the operation of a secure service will always be our highest priority,” the company’s blog post from Slack’s VP Anne Toth reads. “We deeply regret this incident and apologize to you, and to everyone who relies on Slack, for the inconvenience.”
In response to a request from WIRED, a Slack spokesperson declined to comment further on how many user accounts might have been accessed in the hack. But the spokesperson emphasized that it’s communicating privately with users who it believes may have had their communications breached.
In response to the breach, Slack says it’s also now offering a two-factor authentication feature, which would require any user to enter a one-time passcode sent to his or her phone in addition to the usual Slack credentials. It’s also enabled a password “kill switch” for Slack administrators, allowing them to log out all users of a Slack installation and reset their passwords.
Those new features likely can’t undo the damage Slack’s hack will represent to its credibility among corporate users. The company has framed itself as a friendlier replacement for Microsoft’s work and collaboration tools. Given those enterprise ambitions, its addition of two-factor authentication highlights that it didn’t have that security protection in place earlier — a fact that’s surprising, given that the two-factor feature is increasingly seen as the standard for web-based applications.
In its statement, Slack says it had planned to release the two-factor feature in just a week, but was still testing it. “We have decided to release it immediately, despite the remaining bits of clunky-ness: the feature works and it does provide a significant new level of protection against unauthorized access to your Slack account,” writes Toth. “We will be improving this feature in future releases but the feature functionality is what is most important right now.”
Slack adds in its post that it’s been “working 24 hours a day to methodically examine, rebuild and test each component of our system to ensure it is safe,” and that it’s working with outside security experts and law enforcement. It says that its stolen passwords had been both—converted into an unreadable string of characters—with the hashing function known as bcrypt and also “salted,” an additional step that usually makes hashed passwords far more difficult for any thieves to decipher. But Slack users should nonetheless turn on two-factor authentication here.
No comments:
Post a Comment