Slack has announced that it will reset the passwords of approximately 1% of all accounts after it discovered new information about a 2015 security incident.
Resets will happen to accounts that were created before March 2015, have not changed their password since the incident, and do not log in via a single-sign-on (SSO) provider.
“We have no reason to believe that any of these accounts were compromised, but we believe that this precaution is worth any inconvenience the reset may cause,” said Slack.
In 2015, Slack infrastructure was breached by numerous hackers. A database which stored important user profile information such as usernames and hashed passwords was compromised.
As part of the hack, these individuals were able to capture some passwords in plain text as they were being entered by users.
At the time, Slack reset a “small number” of accounts that they had confirmed to be affected, and urged all users to reset their passwords and implement security features such as two-factor authentication.
Recently, however, Slack discovered that numerous accounts that logged into Slack during the 2015 security incident still had their details compromised.
As a result, Slack is resetting all accounts that were active during the 2015 incident – except those that use a new password or do not use SSO.
Slack has again recommended that all users use two-factor authentication, and either use unique passwords for each service or use a password manager to avoid their details being compromised.