Slack's security breach may be worse than it's letting on

Advertisement

Slack CEO Stewart Butterfield

Slack

Slack CEO Stewart Butterfield

Earlier today the work-based chat application Slack revealed that its database was breached. The company, which is said to be worth something north of $2 billion, confirmed in a blog post that "there was unauthorized access to a Slack database storing user profile information."

Advertisement

Security researchers are now looking into what went wrong and how the breach may affect users. While Slack assured customers that all its passwords were encrypted, don't breathe a sigh of relief.

"The company is emphasizing that the passwords are encrypted and salted, but that simply means they will take just a little longer to crack," said Alex Heid, chief research officer at SecurityScorecard.

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More

Once they are cracked, explained Heid, then the attackers can reuse the credentials to figure out these users' accounts elsewhere. This means any online service like Amazon, Netflix, Google, etc. Those who are most at risk, said the researcher, are "people who have reused their same password for everything."

Users should not only change their Slack passwords and enable two-factor authentication (as Slack recommended), but do this to most other services online too.

Advertisement

Additionally, Slack users will likely see an uptick of phishing campaigns since their emails have been released. So users should be on the lookout for any unsolicited attachments and illegal email campaigns, which could contain malware.

While Slack did respond promptly and inform all users about the issue, Heid said that its security posture "leaves a lot to be desired." Beyond this specific breach, Slack appears to have a few questionable practices. For instance, any company that uses Slack can find their sub-domain via Google. This means that if an attacker wants to know which company uses Slack it can simply perform a Google search. Heid checked this himself and was even able to dig up 'Activation Links' tied to specific user accounts.

As the researcher wrote in a follow-up email, "[Slack is] vulnerable by design, and I don't think this will be the last we have heard of these issues."

NOW WATCH: The science behind why technology is so addictive