The just-discovered Slack hack has brought up a fresh discussion field: When it comes to best practices, where does user responsibility end, and organizational preparedness begin?
Slack, which was started by Flickr founder Stewart Butterfield in 2013, is a chat app for businesses that replaces intra-office email. It’s on many levels an aggregator, and plugs into other services like Twitter, Skype, GitHub and Dropbox. Companies like eBay, Sony, Yelp and NBCUniversal all use it to get things done among teams. It also continues to work on its video and voice functions to expand user engagement with the app.
Slack said that an intrusion in February that lasted about four days allowed hackers to obtain access to user names, email addresses and passwords, and any other information that users may have optionally added to their profiles to integrate with other services, like Skype IDs and phone numbers. No financial or payment information was accessed or compromised.
The company characterized the breach as affecting a “very small number of Slack accounts,” but the lack of concrete information as to the purloined goods points out a significant security failing as far as one security expert is concerned.
“Now Slack users are left wondering if their personal information was stolen and how they might be affected,” said iboss Cybersecurity CEO Paul Martini, in an email. “This further highlights the need for all organizations—both startups and established companies—to invest in post–infection software that can quickly identify security breaches and prevent valuable data theft.”
One slice of daylight: the Slack passwords were hashed. “We have no indication that the hackers were able to decrypt stored passwords, as Slack uses a one-way encryption technique called hashing,” explained Anne Toth, vice president of policy and compliance strategy at Slack, in a website announcement. “[The] hashing function is bcrypt with a randomly generated salt per-password which makes it computationally infeasible that your password could be recreated from the hashed form.”
Toth also said that Slack has since blocked the unauthorized access and has “made additional changes to our technical infrastructure” to prevent future incidents.
She went to lengths to demonstrate that the company has been proactive in dealing with the event.
“Since the compromised system was first discovered, we have been working 24 hours a day to methodically examine, rebuild and test each component of our system to ensure it is safe,” she said. “We are collaborating with outside experts to cross-check assumptions and ensure that we are meticulous in our approach. In addition we have notified law enforcement of this illegal intrusion.”
She added, “As soon as the evidence was uncovered, we started communication with the affected teams. The announcement was made as soon as we could confirm the details and as fast as we could type.”
In the wake of the incident, Slack has released two-factor authentication and a kill-switch. The password kill-switch for team owners allows for both instantaneous team-wide resetting of passwords and forced termination of all user sessions for all team members (which means that everyone is signed out of your Slack team in all apps on all devices).
Still, operating under the assumption that a breach will occur is an oversight. “Hat's off to the Slack team for apparently responding promptly and putting two-factor authentication in place,” said Muddu Sudhakar, CEO for Caspida, in an email. “However, what's not being discussed and can be more impactful is taking [a] more proactive stance on their cybersecurity.”
Sudhakar added, “When hacks like Slack’s come to light, there's a lot of emphasis on better hygiene approaches from the users—[that] they should have created more robust passwords, [or] not re-used the same password for multiple assets. [However], the bad guys inevitably get through the perimeter, as Slack found, [and] having processes and systems in place to quickly highlight the issues and facilitate investigations will help reduce the rate of compromises.”