Slack says that through its bug bounty program, the company has newly received a set of compromised user credentials from the Great Slack Hack of 2015.
Remember that one? No? Well, it’s why Slack has two-factor authentication now.
Credentials for about 65,000 Slack users were impacted, but Slack says they’re now resetting the passwords for all users who were active in 2015. Four years later, yep.
Catalin Cimpanu writes for Zero Day that this means about 1 percent of Slack users are getting a mandatory password reset.
We immediately confirmed that a portion of the email addresses and password combinations were valid, reset those passwords, and explained our actions to the affected users,” Slack said.
In a message on its website, Slack said this batch of credentials came via its bug bounty program. The company said it initially believed the data came from users who had their PCs infected with malware, or users who reused passwords across different services.
“However, as more information became available and our investigation continued, we determined that the majority of compromised credentials were from accounts that logged in to Slack during the 2015 security incident,” Slack said.
While the batch of compromised credentials included 65,000 passwords, today, Slack decided to reset passwords for all users who were active at the time of the 2015 breach — except users who already changed their password since then, or those who use single-sign-on (SSO) solutions.
Media should report %s, but rather ask for hard numbers.
This isn't to rag on Slack, it's just that as these services get so large, they often say "just 1%" or "under 5% of users impacted"
which look tiny, until you translate to "oh, that's actually 000s or millions of people" https://t.co/gR5MeVz1fa
— ???☕️ (@hunterwalk) July 18, 2019