Today Slack announced that hackers had infiltrated their user profile database and stolen customer user names, email addresses, phone numbers, Skype IDs, and encrypted passwords. The breach is starting to garner widespread attention, partially because it comes on the heels of last month’s report by Slack that they were the fastest-growing business app ever. The news of the breach has also been fueled by rumors of Slack’s latest fund-raising at a valuation of $2.7B.
So, with 500,000 users as of last month, the question now is what is the impact of the breach?
How widespread is the breach?
Skyhigh’s data across 400 enterprises shows that 60% of organizations have employees using Slack. The largest number of Slack users at an organization is 950, and the average number of Slack users per organization is 168.
When compared to other mainstream services, these numbers may seem small, but they are growing rapidly. Skyhigh’s data supports Slack’s claims of being the fastest growing business app, showing that they have a market leading quarterly growth rate of 166%.
Slack shared that only a fraction of users’ data were breached, and that they have no indication that the attackers have been able to decrypt the stolen passwords. Skyhigh’s data shows that there are only 3 Slack credentials for sale on the darknet today, which supports Slack’s claim.
Additionally, according to Slack, “Slack’s hashing function is bcrypt with a randomly generated salt per-password which makes it computationally infeasible that your password could be recreated from the hashed form.”
Absent any context, such as the bcrypt cost parameters, it’s hard to validate Slack’s claim that cracking the passwords in “computationally infeasible”, but the fact that a large number of credentials are not available on the darknet indicates that the encryption is preventing hackers from cracking the passwords.
Is there a risk to Slack users?
If passwords are protected by strong encryption, the risk of an account being compromised and used by attackers is low. However, the loss of names, emails, phone numbers, and Skype IDs does create a risk of spear phishing for Slack users. Hackers often impersonate support or account representatives at vendors and use personal information to lure users into divulging other information such as passwords or billing data. In addition to implementing two-factor authentication, as suggested by Slack, users should be on-guard for potential spear phishing attacks.
The new trend in disclosures
In a recent story on Anthem’s recent breach, Anna Mathews of the Wall Street Journal noted that, “Anthem’s decision to reveal the attack days after its discovery, even as the investigation is getting under way, may signal a changing attitude among corporate executives about rapid disclosures in the wake of breaches of companies including Target Corp., Home Depot Inc. and Sony Pictures Entertainment Inc.”
In addition to divulging the breach publicly today, Slack announced the availability of two new security features in their breach blog: Two-Factor Authentication and a Password Kill Switch.
A new angle to consider – the collaboration connection
After vendors served as entry points in recent high-profile breaches, such as Target, which was breached via an HVAC vendor, the security of partners and the services enterprises use to connect to partners has come under increased scrutiny. The Slack breach is interesting because Skyhigh’s data shows that Slack is the second most popular “connector” of enterprises in the collaboration category. If enterprises are using Slack to connect with partners, they should ensure that the security steps recommended by Slack (i.e. two-factor authentication and password resets) are taken by their partners as well.