Slack is resetting user passwords in response to a 2015 data breach

Slack Media Kit/Slack

In response to recent developments in a 2015 data breach incident, collaboration software company Slack has announced that starting July 18, it will reset the passwords of some of its user accounts that it believes may still be affected by the breach.

According to a statement on Slack’s blog, the company recently discovered new information regarding a 2015 data breach incident. Apparently, Slack recently received reports about “potentially compromised Slack credentials.” Initially, Slack was able to confirm that some of “the email addresses and password combinations were valid,” and so the company reset these passwords and notified the users affected.

But upon further investigation, Slack discovered that most of the compromised credentials “were from accounts that logged in to Slack during the 2015 security incident.” And so, in response to this new information, Slack will reset the passwords of all the accounts that were active during the 2015 data breach. Slack also went on to note that it would only be resetting the passwords of those accounts that meet the following conditions: The account must have been created before March 2015 and the password must not have been changed since thenAffected accounts also do not use a single-sign-on (SSO) provider to log in.

Slack also emphasized that this week’s password reset was just a precautionary measure and that the company has “no reason to believe that any of these accounts were compromised.” Slack has also said that users who have accounts that meet all of the previously mentioned criteria will be “notified directly with instructions.” Slack estimates that only 1% of its user accounts will need to have their passwords reset.

The 2015 data breach occurred in February of that year, and was announced to the public in March. This incident involved the breach of a Slack database that contained user profile information, which included usernames, encrypted passwords, and email addresses. According to the blog post announcement regarding the incident and published at that time, profile information was accessible to hackers, but there was “no indication that the hackers were able to decrypt stored passwords,” and Slack said that payment information had not been accessed or compromised.

Editors’ Recommendations

  • Flipboard hack prompts password reset for millions of users
  • Millions of Instagram influencers reportedly had private data exposed online
  • 7-Eleven’s mobile payment app shut down after hackers nab $500K from customers
  • Hackers demanding bitcoin payments for code held hostage from GitHub and GitLab
  • TrickBot returns with new attack that compromised 250 million email addresses