March 2015 security incident and the launch of Two Factor Authentication

We were recently able to confirm that there was unauthorized access to a Slack database storing user profile information. We have since blocked this unauthorized access and made additional changes to our technical infrastructure to prevent future incidents. We have also released two factor authentication and we strongly encourage all users to enable this security feature.

We are very aware that our service is essential to many teams. Earning your trust through the operation of a secure service will always be our highest priority. We deeply regret this incident and apologize to you, and to everyone who relies on Slack, for the inconvenience.

Here is some specific information we can share about this incident:

  • Slack maintains a central user database which includes user names, email addresses, and one-way encrypted (“hashed”) passwords. In addition, this database contains information that users may have optionally added to their profiles such as phone number and Skype ID.
  • Information contained in this user database was accessible to the hackers during this incident.
  • We have no indication that the hackers were able to decrypt stored passwords, as Slack uses a one-way encryption technique called hashing.
  • Slack’s hashing function is bcrypt with a randomly generated salt per-password which makes it computationally infeasible that your password could be recreated from the hashed form.
  • Our investigation, which remains ongoing, has revealed that this unauthorized access took place during a period of approximately 4 days in February. As soon as the evidence was uncovered, we started communication with the affected teams. The announcement was made as soon as we could confirm the details and as fast as we could type.
  • No financial or payment information was accessed or compromised in this attack.

Since the compromised system was first discovered, we have been working 24 hours a day to methodically examine, rebuild and test each component of our system to ensure it is safe. We are collaborating with outside experts to cross-check assumptions and ensure that we are meticulous in our approach. In addition we have notified law enforcement of this illegal intrusion.

As part of our investigation we detected suspicious activity affecting a very small number of Slack accounts. We have notified the individual users and team owners who we believe were impacted and are sharing details with their security teams. Unless you have been contacted by us directly about a password reset or been advised of suspicious activity in your team’s account, all the information you need is in this blog post.

We are committed to continual improvement of both internal security practices and development of features that help you take control of your own and your team’s security on Slack. In addition to the recent changes to our infrastructure, we have also just released two new features you should know about:

  • Two Factor Authentication (“2FA”; also known as “two step verification”), which is now available for all users/teams. Detailed instructions are available on our help site and if you are signed in, you can set it up right now on your team site. We strongly recommend that everyone use 2FA, both on Slack and everywhere else it is available.
  • A “Password Kill Switch” for team owners, which allows for both instantaneous team-wide resetting of passwords and forced termination of all user sessions for all team members (which means that everyone is signed out of your Slack team in all apps on all devices). Team owners can find this option under the authentication tab of your team settings.

For more on our security practices and policies, see https://slack.com/security. Should you have any questions, see our FAQ below or contact us at security@slack.com.

Again, our most sincere apologies. We are making every effort to prevent any similar occurrence in the future.

Anne Toth
VP, Policy & Compliance Strategy


FAQ

Q: How do I reset my password?

You can reset your password in your Slack profile settings. In addition, team owners and administrators can now easily reset passwords for an entire team at once using our new “password kill switch” feature.

If your Slack team uses single sign-on (SSO) you do not need to reset your password as we do not store passwords for users with this feature enabled.

Q: Why are you releasing Two Factor Authentication now? Why not earlier?

Two Factor Authentication has been in development for the last few months. It is a complicated change which requires additional support resources, administrative capabilities, changes to all applications, mobile and desktop, and extensive testing. We were about a week from release, with just a few small UI tweaks to simplify and clarify the usage experience.

We have decided to release it immediately, despite the remaining bits of clunky-ness: the feature works and it does provide a significant new level of protection against unauthorized access to your Slack account. We will be improving this feature in future releases but the feature functionality is what is most important right now.

Q. What are you doing to prevent additional breaches?

We cannot overemphasize how seriously we take this incident and the importance we place on the security of your information in the broadest sense, from internal compliance processes, audits and physical access control to continual review of our systems design and approach to technical operations.

We have launched Two Factor Authentication and additional administrative security tools to help users and teams better manage the security of their own accounts. You can expect to hear more about new security initiatives and features in Slack and you can count on our commitment to the ongoing investment in and prioritization of Slack’s security.

Q: Were my messages taken/read/accessed?

If you have not been explicitly informed by us in a separate communication that we detected suspicious activity involving your Slack account, we are very confident that there was no unauthorized access to any of your team data (such as messages or files).

Q: Who can I reach if I have additional questions?

If you have questions outside of those covered here please contact security@slack.com.