Data Security Law Blog

An Old Hack Comes Back to Haunt (Newly-Public) Slack

Last Thursday, Slack Technologies, Inc. (Slack) announced that it would reset passwords for a number of accounts compromised by a security breach that occurred more than four years ago, in March 2015. Slack—a fast-growing messaging service that launched in 2014 and went public last month—provided little explanation for its delay in action and minimized the scope of the incident, claiming that it only affected a small percentage of current Slack users. The narrow scope and timing of Slack’s disclosure raise interesting questions about the heightened scrutiny public companies now face when dealing with cybersecurity incidents.

Slack is a “team messaging application” that seeks to replace email as a repository for business information and communications. It uses instant messages and live chats to organize messaging and documents. Since its public launch in 2014, Slack has become a widely-used tool for social groups, start-ups, and large publicly-traded firms, including high-profile customers like Ford and Nordstrom. As of June 2019—when the company offered $100 million of shares to the public through a DPO (direct public offering)—Slack had approximately 100,000,000 daily active users across 150 countries.

In the prospectus Slack filed with the SEC, it listed “security incident[s]” among the company’s risk factors and described the March 2015 breach as an example. In the prospectus, Slack reported that it was “not aware of any material impact on any organizations that resulted from the incident.”

Last Thursday—almost a month after its public filing—Slack published a news item on its site disclosing that it had received “new information about Slack’s 2015 security incident.” Specifically, it had learned about compromised accounts and “determined that the majority of compromised credentials were from accounts that logged in to Slack during the 2015 security incident.” The company said it would reset passwords “for approximately 1% of Slack accounts” that had been potentially compromised for more than 4 years.

Slack explained that in 2015 the attackers had “gained access to some Slack infrastructure” and “inserted code that allowed them to capture plaintext passwords as they were entered by users at the time.” The announcement said nothing about the number of messages that may have been compromised, but some affected users have speculated that “it’s likely much more than 1%” because the breach affected early adopters and may have captured messages from other users interacting with accounts that had been directly compromised.

Notably, Slack made this announcement one month after offering its stock to the public and filing a prospectus with the SEC which disclosed the company’s data security risks generally and the March 2015 incident in particular, but did not disclose the continuing impact of that incident. As we have previously discussed on this blog, the SEC has recently focused on the need for public companies to provide detailed disclosures to shareholders regarding data security risks and material data security incidents. In particular, the SEC’s recent guidance underscores the “grave threats to investors” and our financial systems posed by cybercrime and “encourages focused and tailored cyber disclosures based on an assessment of a company’s risk profile rather than general boilerplate disclosures.” Notwithstanding this guidance, the SEC has not offered precise guidance as to the timing or level of detail required for breach disclosures.

It remains to be seen whether Slack’s shareholders, Slack’s users, or the SEC will take issue with the scope or timing of the company’s disclosure. For now, however, the market seems ready to move on: while Slack’s stock price dropped approximately 3% the day after the announcement, it has more than bounced back in the last few days.