Slack's security breach may be worse than it's letting on
Slack
Security researchers are now looking into what went wrong and how the breach may affect users. While Slack assured customers that all its passwords were encrypted, don't breathe a sigh of relief.
"The company is emphasizing that the passwords are encrypted and salted, but that simply means they will take just a little longer to crack," said Alex Heid, chief research officer at SecurityScorecard.
Once they are cracked, explained Heid, then the attackers can reuse the credentials to figure out these users' accounts elsewhere. This means any online service like Amazon, Netflix, Google, etc. Those who are most at risk, said the researcher, are "people who have reused their same password for everything."
Users should not only change their Slack passwords and enable two-factor authentication (as Slack recommended), but do this to most other services online too.
Additionally, Slack users will likely see an uptick of phishing campaigns since their emails have been released. So users should be on the lookout for any unsolicited attachments and illegal email campaigns, which could contain malware.
While Slack did respond promptly and inform all users about the issue, Heid said that its security posture "leaves a lot to be desired." Beyond this specific breach, Slack appears to have a few questionable practices. For instance, any company that uses Slack can find their sub-domain via Google. This means that if an attacker wants to know which company uses Slack it can simply perform a Google search. Heid checked this himself and was even able to dig up 'Activation Links' tied to specific user accounts.
As the researcher wrote in a follow-up email, "[Slack is] vulnerable by design, and I don't think this will be the last we have heard of these issues."
- Fresh photographs of Milky Way’s black hole Sgr A* reveal strong, twisted magnetic field similar to M87*
- 8 Lesser-known places to explore in Himachal Pradesh
- Markets end FY24 on buoyant note amid positive global cues
- SRM Contractors IPO allotment – How to check allotment, GMP, listing date and more
- Rupee falls 6 paise to settle at 83.39 against US dollar