“It’s a fantastic day when a service I use gets hacked”; said no one ever. No one likes finding out that a company that they utilize for their day-to-day activities has been hacked. What hurts even more is when that company chooses not tell its customers they were hacked until weeks later. This seems to be an issue that Slack, the popular team communication company, has encountered.
According to the official Slack blog:
We were recently able to confirm that there was unauthorized access to a Slack database storing user profile information. We have since blocked this unauthorized access and made additional changes to our technical infrastructure to prevent future incidents. We have also released two factor authentication and we strongly encourage all users to enable this security feature.
So what exactly did the hackers access? Slack explains that the hackers accessed their “central user database”; this database includes users’ email addresses and passwords. The hackers also had access to information that users might have opted into providing, which include phone numbers and Skype ID’s. While the hackers did not have access to financial or payment information, it is still disconcerting that other personal information was accessed.
Here’s the kicker, Slack indicated that this hack took place during 4 days in February. Instead of letting customers know immediately about the threat, they decided to wait a few weeks before publicly announcing the attack according to Trinity News Daily. It is understandable for an organization to decide to “confirm the details”; this information needs to be communicated quickly so that users can take the appropriate measures to ensure their information protected. A few weeks is simply too long.
Slack continued to say:
As part of our investigation we detected suspicious activity affecting a very small number of Slack accounts. We have notified the individual users and team owners who we believe were impacted and are sharing details with their security teams. Unless you have been contacted by us directly about a password reset or been advised of suspicious activity in your team’s account, all the information you need is in this blog post.
Regardless of whether or not you received the individual communication from Slack, we would highly recommend you participate in Slack’s two-factor authentication feature to help protect you from future attacks. This new feature simply adds an additional layer of protection to your account. Essentially, you will be prompted to enter an additional passcode along with your normal password each time you sign into Slack. This process is decidedly annoying, but it’s well worth the extra time since it better prevents potential threats. For those interested, you can enable two-factor authentication by following the steps outlined by Slack here.
With any hack there are a number of concerns that need to be addressed, and it appears that Slack is putting forth extra effort to prevent future attacks, despite handling this instance rather poorly. How do you feel about the way Slack handed this attack? Do you think customers should receive more expeditious notice of an attack when it happens? Let us know what you think in the comment section below.