Earlier today the work-based chat application Slack revealed that its database was breached. The company, which is said to be worth something north of $US2 billion, confirmed in a blog post that “there was unauthorised access to a Slack database storing user profile information.”
Security researchers are now looking into what went wrong and how the breach may affect users. While Slack assured customers that all its passwords were encrypted, don’t breathe a sigh of relief.
“The company is emphasising that the passwords are encrypted and salted, but that simply means they will take just a little longer to crack,” said Alex Heid, chief research officer at SecurityScorecard.
Once they are cracked, explained Heid, then the attackers can reuse the credentials to figure out these users’ accounts elsewhere. This means any online service like Amazon, Netflix, Google, etc. Those who are most at risk, said the researcher, are “people who have reused their same password for everything.”
Users should not only change their Slack passwords and enable two-factor authentication (as Slack recommended), but do this to most other services online too.
Additionally, Slack users will likely see an uptick of phishing campaigns since their emails have been released. So users should be on the lookout for any unsolicited attachments and illegal email campaigns, which could contain malware.
While Slack did respond promptly and inform all users about the issue, Heid said that its security posture “leaves a lot to be desired.” Beyond this specific breach, Slack appears to have a few questionable practices. For instance, any company that uses Slack can find their sub-domain via Google. This means that if an attacker wants to know which company uses Slack it can simply perform a Google search. Heid checked this himself and was even able to dig up ‘Activation Links’ tied to specific user accounts.
As the researcher wrote in a follow-up email, “[Slack is] vulnerable by design, and I don’t think this will be the last we have heard of these issues.”