Business Insider India has updated its Privacy and Cookie policy. We use cookies to ensure that we give you the better experience on our website. If you continue without changing your settings, we\'ll assume that you are happy to receive all cookies on the Business Insider India website. However, you can change your cookie setting at any time by clicking on our Cookie Policy at any time. You can also see our Privacy Policy.
Slack's security breach may be worse than it's letting on
Slack's security breach may be worse than it's letting on
Cale Guthrie WeissmanMar 28, 2015, 05:26 IST
Earlier today the work-based chat application Slack revealed that its database was breached. The company, which is said to be worth something north of $2 billion, confirmed in a blog post that "there was unauthorized access to a Slack database storing user profile information."Security researchers are now looking into what went wrong and how the breach may affect users. While Slack assured customers that all its passwords were encrypted, don't breathe a sigh of relief."The company is emphasizing that the passwords are encrypted and salted, but that simply means they will take just a little longer to crack," said Alex Heid, chief research officer at SecurityScorecard.Once they are cracked, explained Heid, then the attackers can reuse the credentials to figure out these users' accounts elsewhere. This means any online service like Amazon, Netflix, Google, etc. Those who are most at risk, said the researcher, are "people who have reused their same password for everything."Users should not only change their Slack passwords and enable two-factor authentication (as Slack recommended), but do this to most other services online too. Additionally, Slack users will likely see an uptick of phishing campaigns since their emails have been released. So users should be on the lookout for any unsolicited attachments and illegal email campaigns, which could contain malware.While Slack did respond promptly and inform all users about the issue, Heid said that its security posture "leaves a lot to be desired." Beyond this specific breach, Slack appears to have a few questionable practices. For instance, any company that uses Slack can find their sub-domain via Google. This means that if an attacker wants to know which company uses Slack it can simply perform a Google search. Heid checked this himself and was even able to dig up 'Activation Links' tied to specific user accounts. As the researcher wrote in a follow-up email, "[Slack is] vulnerable by design, and I don't think this will be the last we have heard of these issues."
