Slack Technologies Inc. is resetting passwords for 1% of its user base, or more than 100,000 accounts, after uncovering new information about a 2015 data breach.

Slack disclosed in May 2015 that hackers had gained access to its central user database. The system contained names, email addresses and other profile details along with passwords.

Those passwords were protected with encryption that Slack described as “computationally infeasible” to crack. But the attackers also managed to steal some unencrypted, plain-text passwords while they were inside the company’s network. 

An internal investigation concluded that the breach had compromised only a small number of plain-text credentials. However, it turns out that the hackers may have gotten their hands on more passwords than previously believed.

Slack decided to perform today’s password reset after receiving a tip about a trove of compromised user credentials. Initially, the company’s engineers suspected the records may have been stolen through a data breach at an external organization. However, a closer inspection revealed that most of the passwords in the batch belonged to accounts that were active during the 2015 hack.

The 100,000-plus accounts that Slack reset were all created before March 2015. Users who changed their passwords since or relied on an external single sign-on authentication service to log into Slack during the breach are not affected. Slack added it has found “no reason” to believe the affected accounts were compromised, but it decided to reset them anyway as a precaution. 

The team chat provider must take privacy breaches especially seriously now that it’s a publicly traded company. Slack is also prioritizing security as part of its feature development roadmap to address the needs of large enterprise customers. Earlier this year, the company rolled out an encryption tool that enables organizations to protect employees’ chat correspondence using their own cryptographic keys. 

Photo: Slack