back to article 2015 database hack is the terrible gift that keeps giving for Slack: Tens of thousands of passwords now reset

Slack says a 2015 database theft is to blame for a large-scale reset of stolen passwords. The Discord-for-Suits developer said on Thursday that it was resetting the passwords for roughly 1 per cent of its 10 million or so accounts after an investigation revealed that stolen credentials were being sold online. These included …

  1. Anonymous South African Coward Silver badge

    I have a Slack account, but it is dormant.

    1. stiine Silver badge

      That's what you think....

  2. Luke Maslany

    "The only users at risk are people who began using Slack before February of 2015 who have not reset their passwords since the break-in took place, and have not implemented two-factor authentication on their accounts."

    I'd argue that users that had used the same password on other systems would also be 'at risk'. Users that use common variants of a password would, I should think, also be at risk.

    1. Charlie Clark Silver badge

      Indeed, though it's worth noting that at least the passwords were hashed so that's a lot of rainbow tables to generate but that's no longer so difficult on modern infrastructure.

      I'm beginning to think that, no manner how clever we make them, passwords are fundamentally flawed. If you've got more than a couple you won't be able to remember them without some kind of help such as a system or a keychain. Or writing them down as one of my customers told me the other day.

      2FA via a mobile phone certainly isn't flawless but it's beginning to look like the least worst option.

      1. Ben Tasker Silver badge

        > Indeed, though it's worth noting that at least the passwords were hashed so that's a lot of rainbow tables to generate but that's no longer so difficult on modern infrastructure.

        Not exactly.

        At the time (i.e. back in 2015) they believed that only password hashes had been stolen.

        This latest revelation is that the attackers injected code into Slack's login page in order to filch plain text creds (i.e. as the user entered them).

        2FA is almost always a wise addition though, yes

  3. Pascal Monett Silver badge

    Hold it

    "After investigating further, the usernames and passwords were found to have been lifted from a Slack network intrusion that occurred more than four years ago"

    Did I read that correctly ? They had a network intrusion and didn't think of changing the passwords ?

    Somebody should be fired over that, somebody high up. It is network security 101 : when you have detected a breach, you change the passwords. All of them.

    1. Ben Tasker Silver badge

      Re: Hold it

      When they reset passwords last month, they also originally insisted that the credentials must've been gathered through malware and the breach was "100% not at Slack's end".

      After repeated pushbacks and provision of information gathered in twitter threads like that one, they went back to investigate some more.

      Now it seems it was rogue shit injected into the Slack login page at their end.

    2. Anonymous Coward
      Anonymous Coward

      Re: Hold it

      Slack is an Electron app. Someone should be fired over that.

  4. Cavehomme_
    WTF?

    2015? WTF!

    Nuff said

  5. KRS-One
    Facepalm

    Periodic password changes

    And who said we should remove periodic password changes to improve security? https://pages.nist.gov/800-63-3/sp800-63b.html

    Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

    Since it is clear we are not being informed if there is evidence of compromise by all our wonderful cloud providers I still stand by periodic password changes.

    Of course where possible MFA should be enforced.

    Now a 4 year old hack is biting us in the behind again so periodic password changes are not a bad thing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019