Cyber Incident Victim: Slack Technologies
Date:
Feb 2015
Location:
United States of America
Summary
A collaboration platform experienced a security breach over several days, compromising user data including email addresses, usernames, encrypted passwords, and in some cases phone numbers and Skype IDs. Suspicious activity was detected on a small number of accounts, suggesting unauthorized access to communications. The company responded by immediately releasing a previously planned two-factor authentication feature and a password kill switch for administrators, despite initial testing phases. While stolen passwords were protected with bcrypt hashing and salting, the incident highlighted the absence of two-factor authentication prior to the breach—a security standard already offered by competitors and established enterprise tools. External security experts and law enforcement were engaged to investigate, and affected users received private notifications about potential communication breaches.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In February 2015, Slack experienced a security breach over four days that compromised user data, including email addresses, usernames, encrypted passwords, and, in some cases, phone numbers and Skype IDs associated with accounts. The company announced the incident on March 27 via a corporate blog post by VP Anne Toth, acknowledging that attackers had defeated its security protections. Slack detected suspicious activity on a small number of user accounts, indicating that intruders potentially accessed communications within those accounts. The company declined to disclose the exact number of affected users but confirmed it was privately notifying individuals whose communications may have been breached. Slack emphasized that stolen passwords were hashed using bcrypt and salted, making them difficult to decipher, though it urged users to enable two-factor authentication as an additional safeguard.
In response to the breach, Slack immediately released a previously planned two-factor authentication feature, despite ongoing testing, requiring users to enter a one-time passcode sent to their phones alongside standard credentials. The company also introduced a password kill switch, allowing administrators to log out all users of a Slack installation and reset passwords system-wide. Slack stated it had been working around the clock to examine, rebuild, and test each system component for safety, collaborating with external security experts and law enforcement. The incident damaged Slack’s credibility among corporate users, particularly as it positioned itself as a secure alternative to Microsoft and Google’s collaboration tools, which had offered two-factor authentication for years. Competitor HipChat had also suffered a breach in February 2015 but had not yet implemented two-factor authentication, leaving Slack with a relative security advantage post-incident. Slack’s blog post expressed regret for the inconvenience and reiterated its commitment to operational security as its highest priority.