Company resets thousands of passwords

Sheri Evans
July 20, 2019

Slack says that it is notifying any affected users legitimately on the off chance that it is resetting their passwords, and recommends that all users turn on two-factor authentication.

In March 2015, Slack said hackers gained access to some Slack infrastructure, including databases storing user credentials.

One can't help but wonder, if Slack had reset all user passwords following the 2015 incident, would we be having this discussion today? But the attackers also managed to steal some unencrypted, plain-text passwords while they were inside the company's network.

However, the firm this week admitted that it has learned through its bug bounty program that a collection of user email addresses and password combinations had been compromised, which it has linked to since linked to the 2015 breach.

Some four years after Slack suffered a data breach, the company has chose to reset the passwords of users it believes were affected.

Edward Furlong To Return As John Connor In Terminator: Dark Fate
The Hamilton news was already known, as was the return of Arnold Schwarzenegger, but the Furlong casting info is new. Luna's villain splits into two separate Terminators , and Davis fights them both off until she's finally cornered.

David Duval Shoots 13-Over Par on 7th Hole at British Open
And he made fun of himself after the day's lone highlight, a long birdie make at the par-4 15th hole, his only circle on the card. Otherwise, head to the beach where you can spot sea turtles while contemplating your next move.

Taylor Swift and more take us for an inside look at 'Cats'
The trailer also reveals James Corden as Buster Jones and Idris Elba as Macavity. Sort of like the costumes from the old Broadway show it's based on?

But upon further investigation, Slack discovered that most of the compromised credentials "were from accounts that logged in to Slack during the 2015 security incident". Sure, password resets are inconvenient but it's better to be safe than sorry, no?

The 100,000-plus accounts that Slack reset were all created before March 2015.

Given that the attackers were able to grab some users' plaintext passwords as they entered them during the 2015 incident, and already had access to the usernames, it's likely that the credentials the researcher sent to Slack were taken as part of that original incident.

While the batch of compromised credentials included 65,000 passwords, today, Slack made a decision to reset passwords for all users who were active at the time of the 2015 breach - except users who already changed their password since then, or those who use single-sign-on (SSO) solutions. Furthermore, it's only applicable if you haven't changed your password since and your account does not require logging in via a single-sign-on (SSO) provider.

"We have no reason to believe that any of these accounts were compromised", Slack said in a blog post, "but we believe that this precaution is worth any inconvenience the reset may cause".

Other reports by

Discuss This Article