2015 database hack is the terrible gift that keeps giving for Slack: Tens of thousands of passwords now reset Slack says a 2015 database theft is to blame for a large-scale reset of stolen passwords. The Discord-for-Suits developer said on Thursday that it was resetting the passwords for roughly 1 per cent of its 10 million or so accounts after an investigation revealed that stolen credentials were being sold online. These included …
"The only users at risk are people who began using Slack before February of 2015 who have not reset their passwords since the break-in took place, and have not implemented two-factor authentication on their accounts."
I'd argue that users that had used the same password on other systems would also be 'at risk'. Users that use common variants of a password would, I should think, also be at risk.
Indeed, though it's worth noting that at least the passwords were hashed so that's a lot of rainbow tables to generate but that's no longer so difficult on modern infrastructure.
I'm beginning to think that, no manner how clever we make them, passwords are fundamentally flawed. If you've got more than a couple you won't be able to remember them without some kind of help such as a system or a keychain. Or writing them down as one of my customers told me the other day.
2FA via a mobile phone certainly isn't flawless but it's beginning to look like the least worst option.
> Indeed, though it's worth noting that at least the passwords were hashed so that's a lot of rainbow tables to generate but that's no longer so difficult on modern infrastructure.
Not exactly.
At the time (i.e. back in 2015) they believed that only password hashes had been stolen.
This latest revelation is that the attackers injected code into Slack's login page in order to filch plain text creds (i.e. as the user entered them).
2FA is almost always a wise addition though, yes
"After investigating further, the usernames and passwords were found to have been lifted from a Slack network intrusion that occurred more than four years ago"
Did I read that correctly ? They had a network intrusion and didn't think of changing the passwords ?
Somebody should be fired over that, somebody high up. It is network security 101 : when you have detected a breach, you change the passwords. All of them.
When they reset passwords last month, they also originally insisted that the credentials must've been gathered through malware and the breach was "100% not at Slack's end".
After repeated pushbacks and provision of information gathered in twitter threads like that one, they went back to investigate some more.
Now it seems it was rogue shit injected into the Slack login page at their end.
And who said we should remove periodic password changes to improve security? https://pages.nist.gov/800-63-3/sp800-63b.html
Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Since it is clear we are not being informed if there is evidence of compromise by all our wonderful cloud providers I still stand by periodic password changes.
Of course where possible MFA should be enforced.
Now a 4 year old hack is biting us in the behind again so periodic password changes are not a bad thing.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
