Slack announced today that it is resetting the passwords of approximately 1% of its users who have been affected by a security incident that took place four years ago. It is confident, however, that there's no evidence those accounts have been compromised by the data breach.
The company confirmed in March 2015 an unauthorized access to its database containing user profile information and hashed passwords. However, it admitted that attackers were quick to inject code into its system meant to steal passwords in plaintext as users were entering them. It's worth noting, perhaps, that when the breach was revealed, Slack also launched its two-factor authentication.
Today's announcement follows a bug report about a potential compromise with Slack credentials. Regarding that report, the company said:
"We immediately confirmed that a portion of the email addresses and password combinations were valid, reset those passwords, and explained our actions to the affected users. However, as more information became available and our investigation continued, we determined that the majority of compromised credentials were from accounts that logged in to Slack during the 2015 security incident."
The password reset applies only to accounts whose passwords have not been changed since they were created before March 2015. Also, accounts that require logging in via a single-sign-on provider won't need a password reset.