Thousands of Slack passwords belatedly reset after company admits passwords have been cracked

Springing into action...

Slack, the collaboration app popular with developers and anyone exasperated by Skype, has reset thousands of user passwords after belatedly admitting that a March 2015 security breach also compromised credentials.

After the attack in 2015, Slack admitted that the hackers had been able to gain access to a database storing user-profile information, including user names, email addresses and their passwords. As per best practice, these passwords had been hashed the company said, and ought therefore be secure, although the attackers were also able to capture some passwords in plain text as they were entered by users at the time.

While the company admitted the breach back in March 2015, it said at the time that the had been "no indication" that the attackers were able to crack stored passwords.

However, new evidence has been presented via the company's bug bounty programme indicating that a number of the passwords have, indeed, been cracked. The password-reset will affect around one per cent of accounts - accounts created before March 2015 on which passwords haven't been changed in the past four-and-a-half years.

"We were recently contacted through our bug bounty program with information about potentially compromised Slack credentials," the company admitted in its blog. "These types of reports are fairly routine and usually the result of malware or password re-use between services, which we believed to be the case here.

"We immediately confirmed that a portion of the email addresses and password combinations were valid, reset those passwords, and explained our actions to the affected users. However, as more information became available and our investigation continued, we determined that the majority of compromised credentials were from accounts that logged in to Slack during the 2015 security incident."

As a result of the new information, Slack has reset passwords for all accounts that were active at the time of the 2015 incident. "We have no reason to believe that any of these accounts were compromised, but we believe that this precaution is worth any inconvenience the reset may cause," the company added.

Slack has proved wildly popular since its initial release in 2013. Microsoft responded by launching Teams, which it now claims is as widly used as Slack, although it lacks many of the features that made Slack a favourite with developers in particular.

Not everyone is impressed with Teams, while even DevOps software maker Atlassian has brought out its own alternative, marketing it as much on price as features.