Slack explained that it reset account passwords for 1% of its users. Any users who created their account before March 2015 and haven’t since changed their passwords and do not use single sign-on (SSO) will likely have their passwords reset by the company.
“We were recently contacted through our bug bounty program with information about potentially compromised Slack credentials. These types of reports are fairly routine and usually the result of malware or password reuse between services, which we believed to be the case here,” Slack wrote.
Recognizing – and apologizing for – the potential inconvenience, Slack explained, “Today we are resetting passwords for all accounts that were active at the time of the 2015 incident, with the exception of accounts that use SSO or with passwords changed after March 2015. We have no reason to believe that any of these accounts were compromised, but we believe that this precaution is worth any inconvenience the reset may cause.”
The announcement highlights the continued need to educate consumers about proper security hygiene, according to Terence Jackson, chief information security officer at Thycotic.
“We cannot control the situation in which our data will be breached, but what we can do is limit the fallout when it happens. These credentials that were exposed in 2015 are still surfacing. Once the data is out there, it’s out there. Using a password manager to prevent password reuse and enabling multi-factor authentication on all accounts that support it are good first steps to protect your digital identities.”
Because of the high frequency of data breaches, Shahrokh Shahidzadeh, CEO at Acceptto, said we all must operate under the assumption that it’s only a matter of time before we truly understand that all of our credentials and personal information are already compromised.
For that reason, “The reliance on binary authentication methods, such as passwords independent of their length, or even mixing it with two-factor and multi-factor authentication solutions that are susceptible to phishing attacks, is a recipe for failure and a matter of when, not if. In light of recent developments, the only safe credential is one that is immutable and that can only be bio-behavioral-based,” Shahidzadeh said.