Slack, a popular start-up focused on collaboration in the workplace, said on Friday that a database storing user profile information was compromised in February. The incident lasted four days, but the company said that only a small number of users were impacted.
The database housed registration details, such as usernames, email addresses and passwords. In addition, the information could have included other personal details, such as Skype ID and phone numbers.
Slack says that there is no evidence that the attackers managed to decrypt stored passwords, which were salted and hashed with bcrypt, and that no financial information was accessed or compromised during this attack.
"Our investigation, which remains ongoing, has revealed that this unauthorized access took place during a period of approximately 4 days in February. As soon as the evidence was uncovered, we started communication with the affected teams. The announcement was made as soon as we could confirm the details and as fast as we could type," Slack said in a statement.
The breach impacted a small number of users the company says, but the exact total is unknown. However, those affected by the incident have already been contacted directly. As part of the recovery process, Slack has introduced two new security features to the service.
The first is two-factor authentication. Slack says they were planning to launch this feature in the near future prior to the data breach, but deployed an early version in order to boost security.
"We were about a week from release, with just a few small UI tweaks to simplify and clarify the usage experience. We have decided to release it immediately, despite the remaining bits of clunky-ness: the feature works and it does provide a significant new level of protection against unauthorized access to your Slack account. We will be improving this feature in future releases but the feature functionality is what is most important right now," the company explains.
The second security improvement is a password kill-switch, which will allow instantaneous password resets. Slack users who manage groups for their organization can use this service to force all team members to log-out and reset their passwords.
Slack is the second start-up to report a breach this month. Last week, Amazon's Twitch reported an incident that caused the company to reset passwords and stream keys.