Slack to reset passwords for tens of thousands of users

Slack says passwords compromised in malware infections and past breaches at other companies.

slack-art.png

UPDATE: Slack confirmed the password reset and said it was related to a previously reported 2015 security breach. The article below represents ZDNet's coverage before the official Slack confirmation. Slack decided to reset passwords for 1% of its userbase (~100,000), for all users who were active at the time of the breach, to be on the safe side. For newer details about the password reset operation, see here.

Slack is preparing to reset passwords for roughly 65,000 users whose credentials were recently compromised, ZDNet has learned.

The company is taking this step after receiving a list of compromised customer passwords from an anonymous source.

"This may be the result of malware installed on a computer you've used to sign in to Slack or your credentials being reused from a previous breach of a third party, such as those listed on sites like haveibeenpwned.com," reads a draft of the message the company intends to send impacted customers.

The password reset emails will be sent out later today. They will go out to both regular Slack users, but also to Slack room admins.

Slack management held a meeting earlier today and decided on custom notifications for its more important enterprise customers, ZDNet has learned.

According to data made public during its IPO in April, Slack said it had 575 customers on annual contracts worth more than $100,000. Some of these customers appear to have been impacted as well.

Slack did not return a request for comment.

It is unclear if any of the credentials Slack received, and is now resetting, had been used to gain unauthorized access to customer accounts.

Slack has regularly reset customer passwords in the past, but always in small batches, as the company detected unauthorized access to user accounts. This is the largest password reset the company has done to date.

More data breach coverage: