topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Friday December 13, 2024, 10:09 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Slack.com Database Hacked!  (Read 2329 times)

KynloStephen66515

  • Animated Giffer in Chief
  • Honorary Member
  • Joined in 2010
  • **
  • Posts: 3,761
    • View Profile
    • Donate to Member
Slack.com Database Hacked!
« on: March 27, 2015, 04:57 PM »
March 2015 Security Incident and the Launch of Two Factor Authentication
Posted March 27th, 2015

We were recently able to confirm that there was unauthorized access to a Slack database storing user profile information. We have since blocked this unauthorized access and made additional changes to our technical infrastructure to prevent future incidents. We have also released two factor authentication and we strongly encourage all users to enable this security feature.
We are very aware that our service is essential to many teams. Earning your trust through the operation of a secure service will always be our highest priority. We deeply regret this incident and apologize to you, and to everyone who relies on Slack, for the inconvenience.
Here is some specific information we can share about this incident:
Slack maintains a central user database which includes user names, email addresses, and one-way encrypted (“hashed”) passwords. In addition, this database contains information that users may have optionally added to their profiles such as phone number and Skype ID.

Information contained in this user database was accessible to the hackers during this incident.

We have no indication that the hackers were able to decrypt stored passwords, as Slack uses a one-way encryption technique called hashing.

Slack’s hashing function is bcrypt with a randomly generated salt per-password which makes it computationally infeasible that your password could be recreated from the hashed form.

Our investigation, which remains ongoing, has revealed that this unauthorized access took place during a period of approximately 4 days in February. As soon as the evidence was uncovered, we started communication with the affected teams.  The announcement was made as soon as we could confirm the details and as fast as we could type.

No financial or payment information was accessed or compromised in this attack.


Read more: http://slackhq.com/p...nt-and-launch-of-2fa