Popular team messaging service Slack has just started notifying users about a security breach suffered earlier in February. According to the blog entry detailing on the incident, a group of unknown hackers have gotten access to a database containing user information like usernames and their corresponding e-mail addresses, hashed and salted passwords, as well as additional profile fields. The window of opportunity stretched for roughly four days in February.
The notification received today emphasizes that, due to the strong password encryption and salting mechanism, hackers would be unable to bruteforce these hashes and get the original password back. No credit card information or other payment mechanism was exposed either during the hack. This should make things better, right? Well, not so fast.
In case you haven’t heard of it until now, Slack provides a different approach to team communication (i.e. freelancers or company members working together on the same project). It also provides a wide range of connectors that allow key services in your organization to directly post updates on the group chat rather than to send messages on an internal mailing list. For instance, teams could get updates from the company’s SVN server, from the continuous integration services, from videoconferencing systems, from server-monitoring tools and so on. It would be safe to assume that whoever has access to your Slack account pretty much knows whatever happens in the company you’re working at.
And despite the reassurance that hackers “only” laid their hands on non-critical information like your name, phone number, e-mail address, your Skype alias and other trivial data that is optional in the profile, a small number of customer accounts have been flagged for suspicious activity:
“As part of our investigation we detected suspicious activity affecting a very small number of Slack accounts,” the report reads. “We have notified the individual users and team owners who we believe were impacted and are sharing details with their security teams.”
What should you do now?
The last few years of data breaches on high profile services have probably trained you for incidents like this. You should change your Slack account’s password immediately. If you are a team leader, sign all of your team members off via the kill-switch provided in account’s control panel. You might also want to change the passwords to your other accounts should you have re-used the Slack password somewhere else.
The Slack team has also rushed a 2FA service across the network, so you might want to enable it as soon as you have reviewed your account. But most importantly, prepare your organization for phishing attacks and targeted spam, because this is definitely something you would encounter in the next couple of weeks.