Slack launches two factor authorization following unauthorized database access

Looks like the popular private chat room service Slack is tightening its belt. To ensure account security, Slack has enabled two-factor authorization for users, following unauthorized access to their database which stores user profile information. A very small number of accounts were found to be affected by suspicious activity, and Slack has already reached out to those users.

In addition to rolling out two-factor authorization, Slack has put a "Password Kill Switch" in place for team owners. The kill switch will allow team owners to force a termination of all sessions, and require all passwords to be reset with just one button.

Best online learning tools for kids: ABCmouse, Reading IQ, & more

The new security measures show that Slack takes this all very serious. Slack did share some information about the attack:

  • Slack maintains a central user database which includes user names, email addresses, and one-way encrypted ("hashed") passwords. In addition, this database contains information that users may have optionally added to their profiles such as phone number and Skype ID.
  • Information contained in this user database was accessible to the hackers during this incident.
  • We have no indication that the hackers were able to decrypt stored passwords, as Slack uses a one-way encryption technique called hashing.
  • Slack's hashing function is bcrypt with a randomly generated salt per-password which makes it computationally infeasible that your password could be recreated from the hashed form.
  • Our investigation, which remains ongoing, has revealed that this unauthorized access took place during a period of approximately 4 days in February.
  • No financial or payment information was accessed or compromised in this attack.

Slack urges that users enable two-factor authorization on their account, and they have laid out very simple instructions of how to do so.

Slack recently released their Windows app for desktop users and a Windows Phone app is due shortly as well.

Source: Slack