Messaging app Slack adds extra security layers after recent hack attack

29 Mar 2015 | Author: | No comments yet »

After A Hack, Slack Adds Two-Factor Authentication—Is That Good Enough?.

According to an internal investigation, the security breach occurred in February and lasted up to four days, affecting Slack’s central user database containing usernames, email addresses, encrypted passwords and other sensitive information.Enterprise chat platform Slack revealed today that hackers infiltrated the startup and accessed a database containing users’ contact information for four days in February.

Slack is a corporate group-chatting tool that’s become crucial to how many businesses work today, including (The company behind it, also called Slack, is important in its own right: At more than $2 billion, it’s one of the highest-valued companies in Silicon Valley, and is driving a round of stratospheric startup evaluations.) Slack was also the target of a recent hacking incident, in which user data—email addresses, phone numbers, and Skype usernames—was exposed to attackers. Although Slack said users’ passwords were unreadable to the hackers, the startup admitted it found “suspicious activity” from a small, unspecified group of Slack user accounts, suggesting at least some data had been compromised. “Since the compromised system was first discovered, we have been working 24 hours a day to methodically examine, rebuild and test each component of our system to ensure it is safe,” the company said in an email to Slack users on Friday. “We are very aware that our service is essential to many teams,” added Slack’s VP of policy and compliance strategy, Anne Toth, in a company blog post.

Now it’s just hit a different milestone for budding startups: Getting humiliated by hackers who defeated its not-quite-ready-for-primetime security protections. As a result of the breach, Slack implemented two-factor authentication, a security protocol also offered by tech companies like Google for logging into Gmail. The company noted that no financial information was accessed in the attack. “We have no indication that the hackers were able to decrypt stored passwords, as Slack uses a one-way encryption technique called hashing,” wrote Toth.

Instead of just your password standing between you and hackers, it also requires a second key—sometimes a number texted to your cellphone—before you can fully log in. While security breaches have become commonplace, the news may be particularly damaging for Slack, which counts many businesses and organizations among its 500,000 or so daily active users, including Mashable. And security, of course, is important, especially in the businesses in which Slack is often used. (A Slack security blunder late last year that revealed a group’s public chat names to anyone who cared to access them was newsworthy by itself.) Two-factor authentication isn’t difficult to set up, but it’s not particularly intuitive either. The six-year-old startup, which was cofounded run by Stewart Butterfield, recently signed a deal to raise an additional $160 million in funding from new investors including DST Global, Index Ventures, Venture Partners and Horizons Ventures. The deal is expected to close in the next few weeks, according to a The Wall Street Journal report, valuing Slack at $2.76 billion — more than twice the valuation it earned after raising $120 million five months earlier.

So if you’re one of Slack’s half-million daily users, here’s how to go about doing it: (Slack has posted their own instructions for how to do this, but I found them lacking, especially for users who’ve never set up two-factor authentication beyond Google or Twitter before. They’re also not helpful for users in more than one Slack room.) (If you can’t find the words “two-factor authentication” on the page, make sure you’re in the “Settings” tab. A Slack representative declined to say how many teams and users were affected, except to note it was a “very small number.” The company provided the following statement to Quartz: We can not comment beyond details in the blog post about any other unauthorized activity that may have affected individual accounts. It’s also enabled a password “kill switch” for Slack administrators, allowing them to log out all users of a Slack installation and reset their passwords.

Unless you have been contacted by us directly about a password reset or been advised of suspicious activity in your team’s account, all the information you need is in this blog post. The most concerning part of the breach—and the reason two-factor authentication makes for a logical response—is the fact that passwords were included in the data that was accessed.

Given those enterprise ambitions, its addition of two-factor authentication highlights that it didn’t have that security protection in place earlier — a fact that’s surprising, given that the two-factor feature is increasingly seen as the standard for web-based applications. On the other hand, Slack’s popular competitor Hipchat also revealed in February that it had been hacked and a portion of its usernames and email addresses compromised. The breadth of the data Slack is sitting on in general is pretty valuable, from financial credentials to the contents of discussions held across entire organizations.

In the iPhone or Android app store, search for and then download either an app called Google Authenticator (iPhone, Android) or one called Duo Mobile. If a hacker got into the Fast Company Slack, for example, they could pass along future editorial plans and business details to our competitors—or simply try to embarrass us by publishing our frequent all-emoji conversations. Two-factor authentication—requiring users to identify themselves using two different components—is a common way for services to secure themselves against third-party exploits, such as the one that famously ruined tech writer Mat Honan’s day in a big way. It’s an all-around sensible approach to safeguarding user security—at least until we can unlock all of our devices and apps using our fingerprints and faces—but in this case, two-factor authentication wouldn’t have necessarily prevented this sort of breach.

It says that its stolen passwords had been both—converted into an unreadable string of characters—with the hashing function known as bcrypt and also “salted,” an additional step that usually makes hashed passwords far more difficult for any thieves to decipher. One option, says former Stanford University professor Elizabeth Stark, is for apps like Slack to decentralize their data. “When data can be stored locally on a user’s device and used to authenticate without having to be stored in a centralized repository, we no longer have the possibility of millions of users’ personal information being compromised,” says Stark. “Two-factor auth doesn’t really help with this.” Slack is an endlessly buzzed-about startup created by Flickr cofounder Stewart Butterfield in the fall of 2013. Since its launch, Slack has exploded, amassing over 500,000 users at a growing list of companies, including tech giants like Apple, Google, Facebook, and Amazon.

In October of last year, a bug exposed each organization’s list of chat rooms—which can include potentially confidential insights—to anyone willing to poke around a given company’s sign-in screen. Indeed, you have perhaps found the only time that QR codes are actually useful.) In Google Authenticator, you have to press a plus-sign button near the top of the screen to start a new log-in.

If this worked, you’ll go back to your Account Settings page, where you’ll see a green “Enabled” next to “two factor authentication.” Below that, you’ll also see 10 unused backup codes. Re-enter your username and password, then enter the PIN currently showing on your Authenticator app. (These PINs change every 30 seconds, so make sure it’s recent.) Now you should be logged in to a more secure Slack. The easiest way to do that is to enter this into your browser’s URL bar— —where the word in brackets is the URL subdomain of your Slack. (The easiest way to find that information is to click on a timestamp next to any chat and see where Slack sends you in your browser.

Here you can write a commentary on the recording "Messaging app Slack adds extra security layers after recent hack attack".

* Required fields
All the reviews are moderated.
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site