The buzzy collaboration platform Slack has blown up over the last year, with half a million daily users and a $2.8 billion valuation. Now it’s just hit a different milestone for budding startups: Getting humiliated by hackers who defeated its not-quite-ready-for-primetime security protections.
On Friday Slack announced on its corporate blog that it was hacked over the course of four days in February, and that some number of users’ data was compromised. That data included email addresses, usernames, encrypted passwords, and, in some cases, phone numbers and Skype IDs that users had associated with their accounts. The company claims that its passwords were sufficiently scrambled to be unreadable to hackers, but it also admits that it detected “suspicious activity” on a “small number” of Slack user accounts, implying that users’ communications were in at least some cases fully accessed by the intruders.
“We are very aware that our service is essential to many teams. Earning your trust through the operation of a secure service will always be our highest priority,” the company’s blog post from Slack’s VP Anne Toth reads. “We deeply regret this incident and apologize to you, and to everyone who relies on Slack, for the inconvenience.”
In response to a request from WIRED, a Slack spokesperson declined to comment further on how many user accounts might have been accessed in the hack. But the spokesperson emphasized that it’s communicating privately with users who it believes may have had their communications breached.
In response to the breach, Slack says it’s also now offering a two-factor authentication feature, which would require any user to enter a one-time passcode sent to his or her phone in addition to the usual Slack credentials. It’s also enabled a password “kill switch” for Slack administrators, allowing them to log out all users of a Slack installation and reset their passwords.
Click here to read more.
SOURCE: WIRED, Andy Greenberg