If you use Slack, a popular cloud-based team collaboration server, and recently received an email from the company about a security incident, don’t panic and read this article before taking any action.
Slack has been sending a “password reset” notification email to all those users who had not yet changed passwords for their Slack accounts since 2015 when the company suffered a massive data breach.
For those unaware, in 2015, hackers unauthorisedly gained access to one of the company’s databases that stored user profile information, including their usernames, email addresses, and hashed passwords.
At that time, attackers also secretly inserted code, probably on the login page, which allowed them to capture plaintext passwords entered by some Slack users during that time.
However, immediately following the security incident, the company automatically reset passwords for those small number of Slack users whose plaintext passwords were exposed, but asked other affected users to change their passwords manually.
images from Hacker News