Background: In 2015, Slack revealed that unauthorized individuals gained access to a database that stored user profile information including user names, e-mail addresses and hashed passwords. Slack reset passwords for the small number of users it confirmed to be impacted at the time and encouraged all users to do the same.
The team collaboration software maker revealed in January that it had more than 10 million daily active users. One percent of 10 million is 100,000 users.
Slack in today’s notice said the password reset only affects users who created their account before March 2015. Furthermore, it’s only applicable if you haven’t changed your password since and your account does not require logging in via a single-sign-on (SSO) provider.
If you’re one of the 99 percent of users who joined after March 2015 or have changed your password since then, the announcement doesn’t affect you.
The company said it recently received a report through its bug bounty program regarding potentially compromised Slack credentials. Upon further investigation, Slack determined that the majority of compromised credentials were from accounts that logged into the service during the 2015 security incident.
As such, Slack is now resetting passwords for all accounts that were active in 2015, except those that use SSO or those that have updated their password since March 2015. Slack said it has no reason to believe any accounts were compromised but is taking the step as a precaution.
One can't help but wonder, if Slack had reset all user passwords following the 2015 incident, would we be having this discussion today? Sure, password resets are inconvenient but it's better to be safe than sorry, no?