Chat-Room Startup Slack Implements 2-Factor Authentication Following February Hack
Slack, the fast-growing startup previously known as Tiny Speck, has rolled out an optional two-factor authentication feature in response to a recent hacker attack. The company confirmed there was unauthorized access to its database containing user profile information, and though it was quick to respond and made changes to its security infrastructure to prevent future incidents, Slack "strongly" encourages its users to take advantage of two-factor authentication.
Before talking about that, let's look at what happened. According to Slack, the database that was hacked contained usernames, email addresses, and one-way encrypted (hashed) passwords. It also contained information that users may have optionally entered, like their phone number and Skype ID. All of that information was accessible to the hackers.
The hacking incident occurred over a four-day period in February. On the plus side, no financial or payment information was taken, and there's nothing to indicate that the culprit was able to decrypt stored passwords.
"We are very aware that our service is essential to many teams. Earning your trust through the operation of a secure service will always be our highest priority. We deeply regret this incident and apologize to you, and to everyone who relies on Slack, for the inconvenience," Slack said in a statement.
Though things could have been worse, Slack is pushing for its users to implement two-factor authentication. This requires downloading and installing an authentication app on your phone or tablet, such as Google Authenticator or Duo Mobile (most Time-Based, One-Time Password applications should work). Further instructions can be found here, but short and sweet, this would require logging in with your password and then verifying your identity with a code that's sent to your mobile device.
Slack also rolled out a "Password Kill Switch" feature for team owners. This allows for both instantaneous and team-wide resetting of passwords and forced termination of all user sessions for all team members.
Whether or not these security measures will help restore Slack's credibility remains to be seen. If nothing else, it's a sign of the times, as a growing number of sites and services implement two-factor authentication logins.