Slack has confirmed on it’s blog that there was unauthorized access to a Slack database that was storing user profile information. If Slack didn’t contact you about this situation, it means they do not believe your account was among the ones that were impacted by the security incident.
The unauthorized access took place during 4 days in February. No financial or payment information was accessed. Slack says there is no indication that the hackers were able to decrypt stored passwords. Slack is using a one-way encryption technique on passwords (called hashing).
As a result of this security incident, Slack has released two new features. Two factor authentication (2FA) is now available for all users and teams. They strongly recommend that everyone use 2FA “both on Slack and everywhere else it is available”.
Team owners will now be able to use a “Password Kill Switch”. It does two things. It allows for instantaneous team-wide resetting of passwords. It also causes forced termination of all user sessions for all team members. This means that everyone is signed out of the team owner’s Slack team on all apps and devices.