Slack says a 2015 database theft is to blame for a large-scale reset of stolen passwords.
The Discord-for-Suits developer said on Thursday that it was resetting the passwords for roughly 1 per cent of its 10 million or so accounts after an investigation revealed that stolen credentials were being sold online. These included customer profiles, hashed passwords and also some passwords in clear text that were harvested on the fly.
Arriving as a tip through Slack's bug bounty program, the stolen account credentials were originally thought to be the result of isolated malware infections or phishing operations. After investigating further, the usernames and passwords were found to have been lifted from a Slack network intrusion that occurred more than four years ago.
"We immediately confirmed that a portion of the email addresses and password combinations were valid, reset those passwords, and explained our actions to the affected users," Slack said in a post explaining the move.
"However, as more information became available and our investigation continued, we determined that the majority of compromised credentials were from accounts that logged in to Slack during the 2015 security incident."
The incident occurred in March of 2015 when it was found that in the month prior someone had managed to get access to an internal database containing customer profile information. While the passwords in that database were hashed, the attackers did manage to insert code that harvested account credentials as they were entered onto the Slack website, resulting in the theft of some accounts.
How do you know it's finally the weekend? Clock hits 5pm? No, Slack goes down on a Friday afternoon in JuneREAD MORE
Jump back to 2019, when Slack received reports of the credentials being sold. It turns out that someone had dug up the details lifted during the earlier infection, found credentials that still worked, and then flogged those on a crimeware market.
Fortunately, Slack says, the overwhelming majority of users did not need to have their accounts reset. The only users at risk are people who began using Slack before February of 2015 who have not reset their passwords since the break-in took place, and have not implemented two-factor authentication on their accounts.
In short, only those old-timers with poor security practices are at risk, and they are now going to have to get a new, secure password, whether they like it or not.
This all comes as the chat app maker struggles to push its stock price up in the wake of a June IPO that fell flat. At the time of writing, Slack shares had closed at $32, down 4.36 per cent on the day. ®