Hackers exposed the database that stores profile information for platform users of enterprise collaboration startup Slack, company officials reported Friday.
The news comes just a month after the 2-year-old enterprise collaboration provider out of San Francisco boasted of unprecedented growth, clearing the $10 million mark in annual recurring revenue in what officials called record time.
"We have since blocked this unauthorized access and made additional changes to our technical infrastructure to prevent future incidents," Anne Toth, vice president of policy and compliance strategy for Slack, wrote in a company blog post. "We have also released two-factor authentication and we strongly encourage all users to enable this security feature."
Slack officials declined comment when reached by CMSWire Friday.
Slack, run by CEO Stewart Butterfield (right), launched in February 2014. It now has more than 500,000 daily active users across more than 60,000 teams. Slack has raised $162 million from investors. One report has Slack at a $2.8 billion value.
"We are very aware that our service is essential to many teams," Toth said. "Earning your trust through the operation of a secure service will always be our highest priority. We deeply regret this incident and apologize to you, and to everyone who relies on Slack, for the inconvenience."
The Slack database at play here includes user names, email addresses and one-way encrypted (“hashed”) passwords, according to Slack officials. It could also include phone numbers and Skype IDs if users add them.
Hackers could access information contained in this user database, according to Slack officials. Hackers penetrated the system over four days in February, Slack officials discovered. No financial or payment information was accessed or compromised in this attack.
"We have no indication that the hackers were able to decrypt stored passwords," Toth said, "as Slack uses a one-way encryption technique called hashing."
New Security Features
Slack officials said they made recent changes to their infrastructure and just released two new features:
- Two Factor Authentication (“2FA”; also known as “two step verification”)
- A “Password Kill Switch” for team owners, which allows for both team-wide resetting of passwords and forced termination of all user sessions for all team members
Slack officials said the Two Factor Authentication has been in development for the last few months.
Why implement now?
"It is a complicated change which requires additional support resources, administrative capabilities, changes to all applications, mobile and desktop, and extensive testing," Slack officials told users in the blog post. "We were about a week from release, with just a few small UI tweaks to simplify and clarify the usage experience."
The feature provides a "significant new level of protection against unauthorized access to your Slack account. We will be improving this feature in future releases but the feature functionality is what is most important right now."
Alan Lepofsky, vice president and principal analyst at Constellation Research, told CMSWire he believes Slack is growing faster than the ability of its enterprise readiness to support.
Competitor Weighs In
Competitor Glip out of San Diego wasted little time capitalizing on Slack's woes.
Peter Pezaris, co-founder and CEO of Glip, wrote in an email message to customers that "with today’s news about Slack having another issue with security, I wanted to personally reach out and let you know that your data is safe with us. At Glip, nothing is more important than maintaining the integrity and security of our network and your data."