Slack which is a popular cloud-based team collaboration server has been sending a “password reset” notification email to all the users who have not changed their Slack account passwords since 2015 when the company experienced a huge data breach.
In 2015, hackers gained access to one of the company’s databases that stored user profile information, including their usernames, email addresses, and hashed passwords.
The hackers also secretly inserted a code on the login page that let them capture plaintext passwords entered by the Slack users during that time.
Soon after the security incident, the company automatically reset passwords for those few Slack users whose plaintext passwords were exposed and had requested other affected users to change their passwords manually.
In a statement released by Slack now, they stated that they came to know about a new list of username and password combinations that match with the login credentials of its users who did not change their password after the 2015 data breach.
The company was recently contacted through their bug bounty program with information about potentially compromised Slack credentials. The company confirmed that a portion of the email addresses and password combinations were valid, reset those passwords, and explained their actions to the affected users.
This latest security incident affected only those users, who created an account before March 2015, has not changed their password since the breach and accounts that do not require logging in through a single-sign-on (SSO) provider.
Even though the company is not aware of the source of this new leaked plaintext credentials, they believe that someone might have successfully cracked hashed passwords that were leaked in the 2015 data breach.
Last month, Slack sent a separate notification to all the affected users informing them about the potential compromise of their credentials without providing any details of the incident.
It is found that many users have ignored the warning and have not changed their passwords. So Slack has automatically reset passwords on affected accounts, which is around 1% of the total registered users, that haven’t been updated since 2015.
The company considers that precaution is worth any inconvenience the reset may cause. They also recommend the users to enable two-factor authentication for the Slack accounts.
The company is still investigating regarding the latest security incident.