On April 7th 2014, a new security vulnerability was announced in OpenSSL, a cryptography library used to secure most of the traffic on the internet. This vulnerability has been given the designation CVE-2014-0160 but it's more commonly known as "Heartbleed". It allows an attacker to read parts of the system memory of a vulnerable server. Among other things, it could be used to read passwords, the cookies used to identify logged in users, or the cryptographic keys used to secure communication.
For a relatively non-technical explanation of the nature and scope of the Heartbleed vulnerability, we recommend this article from NPR. This xkcd comic also explains the core idea very well and extremely concisely.
Many of Slack's systems use OpenSSL to maintain the privacy of data sent between your computer and our servers. We have no reason to believe that any data from any Slack workspace was actually compromised. However, the most prudent course of action was to act as if all security measures in place prior to the fix of the Heartbleed vulnerability were invalid.
All our servers were updated quickly after the vulnerability’s announcement and we replaced all SSL certificates once we were sure that we were no longer vulnerable. We've since done a top-to-bottom review of all systems, following the same procedures we would in a worst case scenario, assuming any internal secrets, passwords or private keys were compromised. We have now completed that process and believe that all concerns have been addressed.
We've also taken this opportunity to introduce some additional measures to further improve Slack's security, our ability to protect your data and our ability to respond to any similar incidents in the future. On April 10th, as one of those measures, we changed how we issue authentication cookies. Any remaining old-style authentication cookies will be invalidated by April 15th. We also recommend that all users change their passwords and sent out an email with that recommendation and a link to this document.
The security and integrity of your data are among our fundamental goals. We're always looking for ways to make improvements. Upcoming enhancements include two-factor authentication, API methods for user management, administrator-controlled security policies for things like password strength and PIN-lock for mobile apps.
The Heartbleed vulnerability was a near-unprecedented security event and was not unique to Slack. It is estimated that hundreds of thousands of servers representing around 2/3rds of all internet services were also affected. You should check whether other sites and services you use were vulnerable, and consider resetting your password on all of them. (If this sounds like a lot of work, we suggest using this as an opportunity to start using a secure password manager, such as 1Password, Keeper, PasswordBox, LastPass, KeePass or iCloud Keychain.)
Thanks for your attention.
For more information on our approach to security for Slack please refer to our Statement of Policies Regarding Data Security and Confidentiality and our Policies for Responsible Disclosure. If you have any other questions, please let us know.