Recently, Slack, the widely utilized cloud-based team collaboration platform, notified users about a significant security incident. Users who have not updated their passwords since a 2015 data breach have begun receiving password reset emails, prompting concern among the platform’s clientele.
The initial breach occurred in 2015 when malicious actors unlawfully accessed a database that housed user profile data, including usernames, email addresses, and encrypted passwords. During this intrusion, attackers also tattooed code into the login page, potentially capturing plaintext passwords inputted by users at that time. Following this breach, Slack took immediate measures by resetting passwords for a select group of users directly impacted, while issuing requests for others to change their credentials.
In a recent release, the company disclosed that it had been informed—via its bug bounty program—of a new, compromised set of username and password combinations correlating with users who had yet to update their passwords since the 2015 incident. Slack stated, “We immediately confirmed that a portion of the email addresses and password combinations were valid, reset those passwords, and explained our actions to the affected users.”
The current breach specifically affects users who created accounts before March 2015, have not changed their passwords post-incident, and do not utilize single-sign-on (SSO) services. Although the source of the leaked credentials remains unclear, Slack speculated that it could stem from malware attacks or the habitual reuse of passwords across different platforms. Furthermore, the possibility exists that hashed passwords from the earlier breach may have been cracked despite being fortified with a bcrypt encryption strategy.
Last month’s notifications aimed at affected users did not go into detail regarding the security breach. Many users appeared to overlook these warnings, leading Slack to take further action by instituting a reset on about 1% of total user accounts that still had unchanged passwords since 2015. The firm has emphasized that it found no evident compromise of these accounts, but they deem the precautionary measure vital for maintaining user safety.
In light of this situation, it is advisable for all users, irrespective of their account status, to enable two-factor authentication, heightening their security posture further. As Slack continues to investigate this incident, it commits to providing additional information as it surfaces.
In analyzing this breach through the lens of the MITRE ATT&CK framework, potential adversary tactics that may have been employed include initial access and credential dumping. Attackers may have exploited technical weaknesses to gain unauthorized entry and harvested user credentials, which ultimately led to this security crisis. As businesses increasingly rely on collaborative platforms like Slack, it becomes critical to prioritize robust cybersecurity measures to protect sensitive organizational data and user accounts.
