Slack is resetting roughly 100,000 user passwords for accounts that were active in 2015. The company has only recently learned that an old security breach from four years ago was perhaps worse than previously thought.
The news, first reported by ZD Net and confirmed by Slack in an announcement on its website, will only affect about 1 percent of Slack’s 10 million total users. Slack discovered that “unauthorized individuals” had gained access to Slack’s internal infrastructure in 2015 but the company only recently learned the hack may have included some usernames and hashed passwords obtained through malware.
The hackers injected code onto some user computers to capture plaintext passwords in real-time back in 2015, something that Slack only put together after its bug bounty program recently yielded some usernames and passwords. But Slack says the password resets are merely precautionary.
“We have no reason to believe that any of these accounts were compromised, but we believe that this precaution is worth any inconvenience the reset may cause,” Slack said in a statement posted to its website. “However, we do recognize that this is inconvenient for affected users, and we apologize.”
Slack insists that if you’re among the 99 percent of users who joined the service after March of 2015 your account is fine and your password will not be reset. And if you changed your password since 2015 (which you should have done anyway) then your password is also fine.
If you haven’t set up two-factor authentication yet for Slack, that’s always a good idea, and this is a timely reminder that hackers are going after anything and everything these days. It’s also a good idea to create unique passwords for every account you have across different platforms. People often use the same password everywhere, which means that hackers only need to crack one service and can try the same login credentials everywhere else on the web until they score.