Slack is resetting passwords due to 2015 hack

Reset your password, then get back to work.

Carrie Mihalcik Managing Editor / News
Carrie is a Managing Editor at CNET focused on breaking and trending news. She's been reporting and editing for more than a decade, including at the National Journal and Current TV.
Expertise Breaking News, Technology Credentials
  • Carrie has lived on both coasts and can definitively say that Chesapeake Bay blue crabs are the best.
Carrie Mihalcik
2 min read
Slack app on phone

The work messaging platform is still dealing with fallout from a 2015 security incident.

Chesnot / Getty Images

If you're a longtime Slack user, you may get a notification today that your password needs to be reset. The work messaging app said Thursday that it's resetting passwords for about 1% of Slack accounts due to a 2015 security incident.

Slack said it's resetting passwords for all accounts that were active at the time of the 2015 incident, except those of users who have changed their passwords since March 2015 and of accounts that use a single sign-on service, like Okta or OneLogin. Roughly 65,000 accounts are getting reset, according to ZDNet.

"We have no reason to believe that any of these accounts were compromised," Slack said in a blog post, "but we believe that this precaution is worth any inconvenience the reset may cause."

Back in 2015, hackers gained access to a Slack database that stored user profile information, including usernames and encrypted passwords, according to the company. The attackers also apparently inserted code into Slack that "allowed them to capture plaintext passwords as they were entered by users at the time." Slack notified impacted users at the time but said it recently was contacted about "potentially compromised Slack credentials" that it determined to be accounts that were logged in during the 2015 security problem.

In its post about the incident, Slack also encouraged users to set up two-factor authentication, keep computer software up to date and use a password manager. 

Originally published July 18, 7:42 a.m. PT.
Update, 8:20 a.m.: Adds more information about the 2015 security incident.