New information about Slack’s 2015 security incident

Slack logo

Read this post in FrenchGermanJapanese, and Spanish.

In response to new information about our 2015 security incident (explained here at the time), we are resetting passwords for approximately 1% of Slack accounts. This announcement affects you only if you:

  • created your account before March 2015,
  • AND have not changed your password since,
  • AND your account does not require logging in via a single-sign-on (SSO) provider.

In other words, if you’re one of the approximately 99% who joined Slack after March 2015 or changed your password since then, this announcement does not apply to you.

2015

In 2015, unauthorized individuals gained access to some Slack infrastructure, including a database that stored user profile information including usernames and irreversibly encrypted, or “hashed,” passwords. The attackers also inserted code that allowed them to capture plaintext passwords as they were entered by users at the time. 

Immediately following the incident, we reset passwords for the small number of Slack users we confirmed to be affected. We also encouraged all users to reset their passwords and immediately implemented corrective and preventive security measures, including two-factor authentication. We have not detected any compromise of our infrastructure since this 2015 incident, which affected Slack and a handful of other companies.

2019

We were recently contacted through our bug bounty program with information about potentially compromised Slack credentials. These types of reports are fairly routine and usually the result of malware or password re-use between services, which we believed to be the case here.

We immediately confirmed that a portion of the email addresses and password combinations were valid, reset those passwords, and explained our actions to the affected users. However, as more information became available and our investigation continued, we determined that the majority of compromised credentials were from accounts that logged in to Slack during the 2015 security incident.

What we are doing now

Today we are resetting passwords for all accounts that were active at the time of the 2015 incident, with the exception of accounts that use SSO or with passwords changed after March 2015. We have no reason to believe that any of these accounts were compromised, but we believe that this precaution is worth any inconvenience the reset may cause. However, we do recognize that this is inconvenient for affected users, and we apologize.

FAQ

What do I do if my password is being reset by Slack?

Today, all active accounts requiring a password reset are being notified directly with instructions. For information on password resets at any time, please visit our help center: https://get.slack.help/hc/en-us/articles/201909068

How can I review access to my account?

Each user can review the personal access logs for their account, or download a complete CSV export, at any time by visiting https://my.slack.com/account/logs. Owners and Administrators on all paid plans can learn more about viewing the access logs for their workspace in our help center: https://get.slack.help/hc/en-us/articles/360002084807-View-Access-Logs-for-your-workspace

Who can I reach if I have additional questions?

If you have questions outside of those covered here, please contact us at security@slack.com.  

What steps can I take to further secure my account?

We recommend all users use two-factor authentication, ensure their computer software and antivirus software is up to date, and create new, unique passwords for every service they use or use a password manager.

Slack is the collaboration hub, where the right people are always in the loop and key information is always at their fingertips. Teamwork in Slack happens in channels — searchable conversations that keep work organized and teams better connected.