Slack Got Hacked

slack_logo_rev

Slack, the super-slick team chat-room service, is getting popular fast. Word around the rumor mill is that it’s currently raising funds at a $2.8 billion valuation. And in the words of the late, great Biggie Smalls: Mo Money, Mo Problems. In the case of startups, success can make your databases a juicy target for hackers.

The bad news: Slack got hacked. Sometime in February, hackers were able to peruse Slack’s central database for up to four days.

The good news: The company patched the holes buffed up its available security features.

In a blog post on the topic, Slack’s head of Policy/Compliance Anne Toth detailed the intrusion.

Here’s how it breaks down:

  • Hackers were able to get into Slack’s central user database
  • This database included usernames, email addresses, encrypted passwords, and any user-profile stuff people chose to add to their account (phone numbers, Skype IDs, etc.)
  • Going a step further than normal, Slack described how their passwords were encrypted. They used a one-way hash function called bcrypt. There’s some discussion going on over at HackerNews as to whether or not this is sufficient.
  • Either way, you should follow standard procedure here. Change your Slack password just to be safe, and change it anywhere else you use the same password.

On the upside, Slack says no financial data was exposed. Unlike every other hack from the past few months, you shouldn’t need a new credit card this time.

In response to the hack, Slack has fired up two new security features: two factor authentication, and a team-wide password kill switch.

Everyone should be familiar with (and use!) two-factor at this point, but in case you’re not: the idea is that even if someone knows your password, they need physical access to something else (generally your cell phone) to sneak into your account. A randomly generated second password is sent to your phone. Without that, they’re locked out.

The password kill switch, meanwhile, allows for team administrators to boot everyone out of the Slack room and force them to reset their passwords. Now, that should be used sparingly because it’s inconvenient as hell and overuse will result in users making garbage passwords — but it’s handy when you suspect that someone is snooping but you’re not quite sure who/how.

And for those worried about prying eyes: Slack says that, at a wide scale, they believe “there was no unauthorized access to any of your team data (such as messages or files)” — and if they find any evidence that a specific team/room/person was compromised, they’ll contact them directly.