Credential Attacksmedium

Slack 2015: Hashed Passwords Stolen, and the Attacker Left a Message

Slack's user database — including email addresses and hashed passwords — was accessed via a breach of the central user database system. Unusually, the attacker left behind a message in Slack's own system: they had also added malicious code.

Slack·2015·2 min read

Background

Slack was the rapidly growing enterprise messaging platform with millions of users in 2015. In February 2015, Slack discovered that unauthorised access had occurred on their database storing user profile information.

The Attack

Attackers gained access to Slack's central user database containing usernames, email addresses, hashed and salted passwords, and phone numbers. Slack used bcrypt for password hashing — a strong algorithm that makes bulk cracking extremely slow. The attackers also inserted code into Slack to monitor keyword searches across the platform. Unusually, the attacker also left behind an indicator of compromise that was almost braggadocious in nature — leaving a trace that seemed deliberate.

Response

Slack reset passwords for all accounts where they detected suspicious activity and added two-factor authentication. The company notified all affected users. Slack published a detailed post-mortem within days of discovery, demonstrating transparency. The company launched a bug bounty programme.

Outcome

Slack's use of bcrypt meant that cracking stolen hashes was computationally expensive — protecting the majority of users even after the database was stolen. The transparency and rapid response was praised. The incident drove Slack's investment in security features including mandatory 2FA for enterprise customers.

Key Takeaways

  1. bcrypt password hashing makes stolen databases significantly less exploitable — it is the correct choice over MD5 or SHA-1
  2. Monitoring for keyword searches by an attacker demonstrates the value of end-to-end encryption for sensitive communications
  3. Rapid, transparent breach disclosure maintains user trust more effectively than delayed or obscured disclosure
  4. Database access monitoring must be able to detect unusual bulk read operations even from legitimate credential contexts
bcryptpassword hashingdatabase breachtransparencyenterprise messaging

More in Credential Attacks

2024critical

Snowflake Credential Theft: Ticketmaster, AT&T, and 160 Others Breached via Stolen Logins

2 min readCredential Attacks
2009high

RockYou: 32 Million Plaintext Passwords Teach the World About Password Storage

2 min readCredential Attacks
2012high

Dropbox 2012: 68 Million Passwords Exposed Because an Employee Reused a Password

2 min readCredential Attacks