Hacked Slack Messenger: User Data and Correspondence Threatened
As reported by Roem.ru, the orphan Slack messenger in February 2015 was hacked and was in the hands of intruders for several days. They had access to information about Slack users: names, email numbers and other contact information, as well as password hashes. True, the company reported this incident only yesterday.
After the incident, more than a month and a half of research was conducted and the scale caused by the hacker attack was found out. Also during this time, additional functions were developed to ensure the security of messenger users: two-factor authentication and Password Kill Switch.
In accordance with the principle of two-factor authentication, the user now has to enter at the entrance to the system not only a password, but also a special confirmation code. To activate this feature, you need to install the Google Authenticator, Duo Mobile or Microsoft Authenticator application.
')
The Password Kill Switch feature will allow team members with administrative rights to forcibly terminate sessions of all employees with a password change request.
Slack passwords are encrypted using a one-way hash function bcrypt "with salt" (bcrypt with a randomly generated salt per-password). It is considered that it is almost impossible to recover a password generated by such a function.
The letter, which Slack employees sent out to users, says that the fact that the attackers had access to files and corporate correspondence has not been established. The investigation continues, and the company promises to keep everyone abreast of further developments.
After the incident, more than a month and a half of research was conducted and the scale caused by the hacker attack was found out. Also during this time, additional functions were developed to ensure the security of messenger users: two-factor authentication and Password Kill Switch.
In accordance with the principle of two-factor authentication, the user now has to enter at the entrance to the system not only a password, but also a special confirmation code. To activate this feature, you need to install the Google Authenticator, Duo Mobile or Microsoft Authenticator application.
')
The Password Kill Switch feature will allow team members with administrative rights to forcibly terminate sessions of all employees with a password change request.
Slack passwords are encrypted using a one-way hash function bcrypt "with salt" (bcrypt with a randomly generated salt per-password). It is considered that it is almost impossible to recover a password generated by such a function.
The letter, which Slack employees sent out to users, says that the fact that the attackers had access to files and corporate correspondence has not been established. The investigation continues, and the company promises to keep everyone abreast of further developments.
Source: https://habr.com/ru/post/289020/
All Articles