Slack Discloses Breach Amid $160 Million Fundraise

Stewart Butterfield, co-founder and chief executive officer of Slack.
Bloomberg News

Slack, maker of an eponymous office-communication tool that seeks to replace corporate email, said Friday that hackers had accessed user data that may include messages sent between users.

News of the breach comes as new investors recently agreed to give the much-hyped app $160 million in additional venture funding at a valuation of $2.76 billion. The company’s value has risen remarkably fast, even by Silicon Valley standards, after launching a little more than a year ago.

It’s unclear when Slack discovered the breach or if new investors were told of it before they agreed to the deal. Paperwork for the fundraising round was signed recently, The Wall Street Journal reported Thursday.

Slack spokeswoman Rebecca Reeve declined to comment on investor notification, in part because Slack hasn’t officially confirmed the fundraising round. In a notice to users, Slack said the breach occurred during a four-day stretch of February.

“Since the compromised system was first discovered, we have been working 24 hours a day to methodically examine, rebuild and test each component of our system to ensure it is safe,” the company said on its website, without specifying a date when the hack was discovered.

Slack encouraged users to turn on two-factor authentication, which the company previously didn’t offer. It’s unclear if two-factor authentication would have helped in this situation, as this security feature only kicks in if hackers know a user’s password. In this case, Slack says the hackers couldn’t decipher users’ passwords.

The disclosure comes less than two months after HipChat, a very similar office-chat app, disclosed its own data breach and raises fresh questions about the security of replacing clunky, if tested, office technology with Silicon Valley’s latest innovations.

Rather than traditional corporate email, Slack resembles an ongoing text message chat between users, who can add in photos and links to external websites. The product has become very popular with other technology startups. Of Slack’s half-a-million daily users, more than 135,000 pay a monthly cost of $6.67 or more per person.

Slack said most of its users weren’t affected. But the company left open the possibility that some user communications were accessed.

“If you have not been explicitly informed by us in a separate communication that we detected suspicious activity involving your Slack account, we are very confident that there was no unauthorized access to any of your team data (such as messages or files),” Slack’s Reeve said in a written statement.

On its website, the company said hackers accessed a database that contained usernames, email addresses and encrypted passwords. The company said it was confident that no user passwords could be decrypted.

But in order a cloud service like Slack to work, some Slack employees have to have access to user communications, which are stored on Slack servers. “If, in order to diagnose a problem you are having with the service, we would need to do something that would expose your personal communications to one of our employees in a readable form,” the company says in its privacy policy.