Hackers breached Slack’s database containing users’ contact information and passwords

Slacking on security?
Slacking on security?
Image: Pawel Kopczynski/Reuters
We may earn a commission from links on this page.

Enterprise chat platform Slack revealed today that hackers infiltrated the startup and accessed a database containing users’ contact information for four days in February. As a result, the company said it was adding two-factor authentication, which offers an additional security layer when users log in, and enhanced controls for team administrators to terminate active sessions and reset passwords for the entire company.

In a blog post, Slack’s vice president of policy and compliance strategy, Anne Toth, said hackers breached a database containing user names, encrypted passwords, and email addresses, as well as optional contact information users add to their profiles, such as phone numbers and Skype user names. The company noted that no financial information was accessed in the attack.

“We have no indication that the hackers were able to decrypt stored passwords, as Slack uses a one-way encryption technique called hashing,” wrote Toth. Even so, it has contacted affected users to reset their passwords. The company said it is investigating the issue and consulting outside experts to examine its security practices.

Such a breach has big implications for a rapidly growing enterprise startup. Security is a major concern for Slack’s 60,000 clients, which include Apple, Google, Amazon, and even Quartz. A Slack representative declined to say how many teams and users were affected, except to note it was a “very small number.” The company provided the following statement to Quartz:

We can not comment beyond details in the blog post about any other unauthorized activity that may have affected individual accounts. We have been in direct communication with a very small number of individual account holders and team owners, but will not be commenting publicly about these accounts. We can confirm that there was no access to databases containing message archives or other similar sensitive team data as part of this incident.

The fact that hackers didn’t access chat logs is somewhat reassuring to its customers, especially since Slack does not encrypt its chat logs. “It is not possible to both securely encrypt messages and offer search as a feature,” said the representative. The ability to instantaneously search across a company’s full chat archives has been a major selling point of the service. Slack also has plans to offer its clients the option to host chats on their own servers.

Slack, which released a native Windows app last week, has grown rapidly since its launch a little over a year ago. Reports suggest the startup, which is currently valued at $1.2 billion, is actively fundraising and seeking a valuation above $2 billion. (Slack declined to comment on the reports when Quartz reached out earlier this week.) In February, the company said it had more than 500,000 daily active users and $12 million in annual recurring revenue.