Slack launches two-factor authentication following unauthorized database access

Looks like the popular private chat room service Slack is tightening its belt. To ensure account security, Slack has enabled two-factor authorization for users, following unauthorized access to their database which stores user profile information. A very small number of accounts were found to be affected by suspicious activity, and Slack has already reached out to those users.

In addition to rolling out two-factor authorization, Slack has put a "Password Kill Switch" in place for team owners. The kill switch will allow team owners to force a termination of all sessions, and require all passwords to be reset with just one button.

The new security measures show that Slack takes this all very serious. Slack did share some information about the attack:

  • Slack maintains a central user database which includes user names, email addresses, and one-way encrypted ("hashed") passwords. In addition, this database contains information that users may have optionally added to their profiles such as phone number and Skype ID.
  • Information contained in this user database was accessible to the hackers during this incident.
  • We have no indication that the hackers were able to decrypt stored passwords, as Slack uses a one-way encryption technique called hashing.
  • Slack's hashing function is bcrypt with a randomly generated salt per-password which makes it computationally infeasible that your password could be recreated from the hashed form.
  • Our investigation, which remains ongoing, has revealed that this unauthorized access took place during a period of approximately 4 days in February.
  • No financial or payment information was accessed or compromised in this attack.

Slack urges that users enable two-factor authorization on their account, and they have laid out very simple instructions of how to do so.

Slack recently released their Windows app for desktop users and a Windows Phone app is due shortly as well.

Source: Slack

Jared DiPane

Jared started off writing about mobile phones back when BlackBerry ruled the market, and Windows Mobile was kinda cool. Now, with a family, mortgage and other responsibilities he has no choice but to look for the best deals, and he's here to share them with you.

  • What is Slack? I'll BING it.
  • Is that like Slacker?
  • Ask Cortana
  • Hi, can I speak to Slack?
    Who is Slack?
  • I can't get the Duo Mobile app to accept the QR code Slack provides. I even tried scanning with Bing Vision and copying the message data to the app. Until this works I can't do the new 2 factor auth :(
  • I was looking for Bing Vision on my phone the other day, but couldn't find it. I freaking hate when MS moves shit around.
  • I thought Bing Vision got nuked? MS Authenticator has a scanner built-in.
  • Bing Vision is now located in the camera app. Click on the ellipsis (...) in the bottom corner and choose "Lenses" it will be in the list.
  • Have you tried Microsoft Authenticator?
  • Sounds like they were a bit Slack with their security...
  • Whomp whomp
  • Brilliant!
  • Cut them some slack :)
  • Nice.
  • Slack's Beta application for Windows Phone should be arriving soon. I enable Two-Factor Authentication with all my apps that support it. Data breaches are too prevalent.
  • What device is that in the picture?
  • Lenovo yoga tab 2. I have one!
  • Would get this to replace skype at work if it did video calling.
  • Nice. I don't use Slack but two factor is just smart.
  • It would have been "smart" to implement two factor authentication *before* they got hacked.