Slack has reported to The Verge that databases comprising team message history were not accessed as part of the breach. No payment information was leaked; the main concern is user passwords, which were in encrypted form.
The San Francisco-based company has mentioned in a blog post on Friday that its central user database was accessible to hackers during that window.The database provided little information such as personal data, including user names, email addresses, and one-way encrypted passwords, and other optional info, such as phone numbers and Skype IDs.
Anne Toth, vice president of policy and compliance strategy at Slack, has imparted that there is “no indication that the hackers were able to decrypt stored passwords, as Slack uses a one-way encryption technique called hashing.”
Slack has exploited outside experts and law enforcement officials abetting the investigation, which remains ongoing. According to Slack, it has notified affected individual users and team owners.
Slack has released some security tips as well as two-factor authentication and a password-kill switch for IT administrators to implement. It strongly encourages all users to enable this security feature.
The password-kill feature will enable an instant sign-out and password reset for every member of a given team. The feature is meant to allow leaders to clear out their system spontaneously if the breach is suspected.
Slack has become popular among businesses as an email replacement, reaching more than half a million daily users last month, but the growth has come with new concerns over security.
In October, the company faced criticism over a bug that permitted outsiders to access the list of names of different rooms available at a company. The bug was fixed immediately after being informed.