Slack resets hundreds of thousands of passwords following data breach

Slack has just been made aware of additional information about a security breach that took place back in 2015, forcing the company to reset the passwords of around 1 percent of its users.

The company announced earlier this year that it has a daily userbase of over 10 million people, so this means that a huge number of users are affected by the incident no matter how much Slack tries to downplay it.

See also:

• Microsoft Teams is more popular than Slack
• Leaked: Microsoft bans employees from using Slack, Kaspersky… even GitHub use is discouraged
• How the smartest companies use Slack today

Slack commented on the incident when it happened four years ago, saying: "We were recently able to confirm that there was unauthorized access to a Slack database storing user profile information. We have since blocked this unauthorized access and made additional changes to our technical infrastructure to prevent future incidents". The company said at the time that it notified the individual users it knew to be affected, but stressed that "no financial or payment information was accessed or compromised in this attack".

But now Slack says that it has received "new information about our 2015 security incident" and it is resetting many passwords as a result. In a post about the decision, Slack says:

This announcement affects you only if you:

• created your account before March 2015,
• AND have not changed your password since,
• AND your account does not require logging in via a single-sign-on (SSO) provider.

In other words, if you’re one of the approximately 99 percent who joined Slack after March 2015 or changed your password since then, this announcement does not apply to you.

The company goes on to explain:

We were recently contacted through our bug bounty program with information about potentially compromised Slack credentials. These types of reports are fairly routine and usually the result of malware or password re-use between services, which we believed to be the case here.

We immediately confirmed that a portion of the email addresses and password combinations were valid, reset those passwords, and explained our actions to the affected users. However, as more information became available and our investigation continued, we determined that the majority of compromised credentials were from accounts that logged in to Slack during the 2015 security incident.

While Slack says that it has no reason to believe that accounts have been compromised, it is still resetting passwords for accounts that were active at the time of the incident as a security measure.