Slack is resetting some user passwords after it became apparent hackers stole them in a previous breach. The hackers compromised Slack’s systems in 2015, copied encrypted passwords, and installed code to record plaintext passwords as users entered them.
In 2015, Slack discovered that hackers had compromised its systems. The hackers managed to make their way into Slack’s infrastructure and breach a database that stored usernames and passwords.
Thankfully, Slack properly hashed the passwords, which means they are encrypted and far less useful. Unfortunately, the hackers also installed code that would record plaintext passwords as users typed them in. When Slack discovered the problem, it tightened its security, removed the bad code, and reset passwords for anyone it thought had been affected by the breach.
Recently, someone contacted Slack through its bug bounty program with a list of compromised username and password combinations. The list was accurate, and when Slack investigated, it realized these passwords were in use during the 2015 breach. While the company thought it had discovered all compromised passwords at the time and reset them, that wasn’t the case.
Now, as a precaution, Slack is resetting all user passwords created at or before the 2015 breach. Slack says the reset affects about 1% of users and will contact them directly with instructions for the reset.
If Slack does contact you, you should also change your login details everywhere else if you reuse your passwords. If you do reuse passwords, you should stop. Breaches are now a common occurrence, and the safest thing to do is use a unique randomly generated password for every site. We recommend using a password manager for that purpose. [TechCrunch]
In Other News:
- Firefox will alert users of breached passwords: Speaking of breached passwords, Firefox wants to make you aware of when your passwords are compromised. If you save your passwords to the browser they will be checked against Have I Been Pwned. If Firefox finds any matches, it will notify you. [TechRadar]
- A vulnerability in Bluetooth could reveal your location: Your Bluetooth devices are supposed to make secure connections, so only you have access to them. Unfortunately, the way many Bluetooth devices generate random connection information doesn’t prevent bad actors from tracking devices. Someone could place a series of beacons in a location, like in a mall, and track your movements. Android isn’t affected, but iOS and Windows is, and Fitbit is the easiest of all to follow. [Engadget]
- Google removed apps designed for stalking from the Play Store: Google removed seven apps from the Play Store for violating its policies on commercial spyware. The apps touted that once installed; they could track location, record contacts, call logs, and the context of text messages (including encrypted services like WhatsApp) of a spouse, employee, or children. The apps came with instructions to install on a victim’s phone, then obfuscate the app so the phone’s owner wouldn’t know. Good riddance. [Gizmodo]
- Microsoft showed off holographic language translation: In a novel HoloLens demonstration, Microsoft showed off a digital translator at the Microsoft Inspire partner conference. The hologram looked remarkably like the presenter and spoke with similar mannerisms as well. But it spoke in Japanese, whereas the presented spoke in English. Microsoft says live translation will be possible with this hologram, although the demo was a staged script. Pretty neat stuff. [The Verge]
- Google starting to warn about apps not meant for children: Google previously told developers they would have to specify an intended age range for their apps. Now the company is starting to roll out “not designed for children” warning on apps that report an age range above children. Developers can even choose to apply the label proactively. Good stuff. [9to5Google]
The zombifying ant fungus is even more horrible than we already thought.