Slack Auto-resets Passwords for Users Not Changed Following 2015 Breach


If you are one of them who uses Slack, a popular cloud-based team collaboration server, and has recently received an email from the company about a security incident, then don’t panic as you are not the only one affected. You need to read this article till the end before taking any action.

  Image Source:

Off late, Slack has been sending a notification email to all of those users who had not yet changed the Passwords for their Slack accounts since the data breach the company has suffered massively. It is for those who are unaware of the 2015 data breach where the hackers’ unauthorized gained access to one of the company’s databases that stored user profile information, including their usernames, email addresses, and hashed Passwords. At that very time, the attackers also secretly inserted code, probably on the login page, which allowed them to capture plaintext Passwords entered by some Slack users during that time. Nevertheless, immediately following the security incident, the company had automatically reset Passwords for those small numbers of Slack users whose plaintext Passwords were exposed, but asked the other affected users to change their Passwords manually.

In the latest statement that has been released recently, the company said that they learned about a new list of username and Password combinations that match with the login credentials of its users who did not even change their Password following the 2015 data breach. It has been learnt that the latest security incident affects only the users who have either created an account before March 2015 or have not changed their Passwords since the incident and as well as the accounts that do not require logging in through a single sign on (SSO) provider.

Slack is not exactly aware of the source of the data breach or the new leaked plaintext credentials but suggests that it could be the result of malware attack or Password reuse between the services. It could also be possible that someone might have successfully cracked the hashed Passwords that were leaked in the 2015 data breach even though it was protected using the bcrypt algorithm with a randomly generated salt per-Password. In the late last month, Slack has also sent a separate notification to all the affected users informing them about the serious and potential compromise of their credentials without furnishing any details of the incident but it seems that many users have ignored the warning and did not change their Passwords voluntarily.

Image Source:

As a result of this, Slack now has automatically reset Passwords on the affected accounts that are about 1% of the total registered users that have not been updated since 2015 as a precautionary measure and asking them to set a new Password using this particular guide. Besides the change of the Passwords, the Slack users are also recommended to enable the two-factor authentication for your Slack accounts even if they are not affected. Slack mentions that it is still investigating the latest security incident and as well as promises to share more information once they are made available.

Image Source:

Source: The Hacker News

Disclaimer: does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation with the reliance on or usage of any content, goods or services mentioned in this article.

Tags: #deep_web_links #Tor_.onion_urls_directories #Deep_Web_Sites_Links #Dark_Web_Links_Hidden_Wiki #Dark_web_directories


Please enter your comment!
Please enter your name here