Slack has been hacked

By

Cult of Mac runs on Slack. Photo: Jim Merithew/Cult of Mac
Cult of Mac runs on Slack. Photo: Jim Merithew/Cult of Mac

Slack, the cool new communications app that many of the world’s top companies have flocked to, just revealed that it’s been hacked.

Attackers were able to access a Slack database, the company said Friday morning. There’s no indication the hackers were able to decrypt passwords stored on the server, but Slack is immediately ramping up security efforts in response.

Here’s the company’s official statement on the security incident:

“We were recently able to confirm that there was unauthorized access to a Slack database storing user profile information. We have since blocked this unauthorized access and made additional changes to our technical infrastructure to prevent future incidents.”

Slack uses a central database that was accessible to the hackers during the attack. The database contains user names, email addresses and one-way encrypted passwords. It also stores optionally added info like phone numbers and Skype IDs.

There’s some question about whether the attackers would have been able to access companies’ chat archives if they weren’t encrypted. The company says no financial information was obtained during the Slack hack, which occurred over four days in February. Cult of Mac asked Slack for more info on other information that may have been vulnerable.

In response to the attack, Slack has added the option for users to step up to two-factor authentication. To enable it, users need to log in to their Slack web profile and toggle the new feature on. Once configured, you’ll be required to enter a code sent to your phone by Google Authenticator or Duo Mobile to sign into your account.

Update: A Slack spokesperson gave us the following statement:

“We can not comment beyond details in the blog post about any other unauthorized activity that may have affected individual accounts. We have been in direct communication with a very small number of individual account holders and team owners, but will not be commenting publicly about these accounts. We can confirm that there was no access to databases containing message archives or other similar sensitive team data as part of this incident.

Message archives are not encrypted on the server side (search is an important part of Slack and it is not possible to both securely encrypt messages and offer search as a feature).”

Source: Slack