Slack has some good security news and some bad security news. First, the bad news: for four days in February, the company suffered a breach of its user database, exposing sensitive information to malicious hackers. Slack confirmed to The Verge that databases containing team message history were not accessed as part of the breach. No payment information was exposed, so the main concern is user passwords, which were in encrypted form. The encryption makes it hard for attackers to work back to the original passwords, but it's still an embarrassing breach, and it's difficult to say for sure that the passwords will never be unencrypted.
An embarrassing breach
But there's also good news. In response to the breach, Slack is rolling out two new security features designed to help teams respond in the aftermath of a breach. The most important is two-factor authentication, available now through the team site, which will ensure the password alone isn't enough to compromise an account. According to Slack, the feature was already in the works, but the breach disclosure convinced the team to move up the launch. "We were about a week from release, with just a few small UI tweaks to simplify and clarify the usage experience," said Vice President of policy Anne Toth. "We have decided to release it immediately, despite the remaining bits of clunky-ness."
"We were about a week from release, with just a few small UI tweaks."
Slack is also rolling out a "password-kill" feature, which will allow an instant sign-out and password reset for every member of a given team. The feature is meant to allow leaders to flush out their system instantaneously if they suspect a breach. If an attacker is logged on during a password kill, they would be immediately kicked off the system, and unable to log back in without access to team member's email. The legitimate members of the team will have to go through the password-reset process, but it should be a small price to pay for locking any eavesdroppers out of the system.
Slack has grown popular among businesses as an email replacement, reaching more than half a million daily users last month, but the growth has come with new concerns over security. In October, the company faced criticism over a bug that allowed outsiders to view the names of different rooms available at a company. The bug was fixed shortly after being made public.
3/27 3:04pm: Updated with Slack confirmation that team messaging archives were not accessed as part of the breach.