Cyber Incident Victim: Slack Technologies
Date:
Mar 2015
Location:
United States of America
Summary
A messaging platform reset passwords for approximately 1% of its userbase after identifying compromised credentials linked to a prior security breach. Attackers had previously infiltrated infrastructure, accessing databases containing hashed user passwords and deploying code to capture plaintext login credentials. The company initially mitigated the breach by resetting affected passwords and enabling two-factor authentication. Years later, credentials surfaced via a bug bounty program, prompting an investigation that revealed most were tied to accounts active during the original breach. Passwords were reset for users who had not changed credentials since the incident or used single sign-on, totaling roughly 100,000 accounts. The company stated no evidence suggested active account compromises but enforced the reset as a precautionary measure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In March 2015, Slack experienced a security breach where attackers gained unauthorized access to portions of its infrastructure, including databases containing user credentials. The compromised data included hashed passwords, and the attackers deployed code on Slack’s platform to intercept plaintext passwords entered by users during login attempts. Slack responded to the 2015 incident by resetting passwords for accounts it identified as impacted and implementing two-factor authentication across all user accounts. The company did not disclose the exact number of affected users at the time of the initial breach.
On July 18, 2019, Slack initiated a password reset for approximately 1% of its userbase—roughly 100,000 accounts—after receiving a batch of 65,000 compromised credentials through its bug bounty program. An investigation revealed that most of these credentials originated from accounts active during the 2015 breach. Slack initially considered malware infections or password reuse across services as potential sources but confirmed the 2015 incident as the primary origin after further analysis. The company reset passwords for all users active in 2015 who had not changed their credentials since the breach or used single-sign-on (SSO) solutions. Slack stated no evidence indicated these accounts were compromised again but described the reset as a precautionary measure. The action affected 10 million users collectively, with no reported operational disruptions or additional unauthorized access beyond the credential exposure.