Slack Technologies, creator of popular workroom chat service has been hacked, leaking up to 500,000 users personal information. The service allows employed to manage projects and work, using internal message boards.
The leaked information includes phone numbers, email ID’s and Skype IDs that users have used to login or added to their profiles. The service has been gaining popularity over a few months, and has been valued at $2 billion. Users can post images, media and links from services like Twitter, Skype and Google Drive.
“We have been recently capable to confirm that there was unauthorized access to Slack database storing profile data,” said Slack Technologies in a blog post.
Slack VP of policy and compliance strategy Anne Toth mentioned that the attack continued during a four-day period in February, exposing the database. However, sensitive payment or card information was not leaked during the attack. Messages and team communications were exposed for some users. Toth added that hackers could not decrypt the hashed passwords though users with weak passwords were notified to reset their login information.
The company has roped in experts to “cross-check” assumptions and has notified the law enforcement agency. For added security in the future, Slack has brought in two-factor authentication feature, for receiving a one-time password for login. Though the OTP method, supported by Google Authenticator and Duo Mobile apps is optional, the method has been highly recommended by the company.
The company will also offer a “password kill switch” feature to team leaders in a company, for resetting loging information of team members. The feature would end the project session and will require a new password for user login. In 2014, the company was criticized for opening chat space names to everyone, and later changed its policy for rectifying the flaw.[ Source ]