[numair]

The author would have done well by refraining from using this as an opportunity to make a sales pitch for their startup, as it detracts from an otherwise important message.

Let me see if I have this right:

Slack had a major security breach in 2015. Apparently someone installed malicious code that could even read password inputs in plaintext. They waited 4 years, after growing large and going public, to inform affected users. And in the interim they blamed their users for any related security problems.

Do I have this correct? If so, how is anyone going to defend this situation? And how can anyone put any sensitive data on Slack, or tell their company to do so, and feel good about it now?

I expected some stupid apology note from the CEO on their website if this turns into a bigger issue, which is sort of an anti-pattern at this point...

[johncolanduoni]

The issue looks to be that they thought they had informed all the affected users back in 2015, but underestimated the set of affected users. The breach certainly wasn’t secret until today, they posted it publicly at that time: https://slackhq.com/march-2015-security-incident-and-the-lau....

[madisp]

they failed to mention that malicious code was reading plaintext passwords though

[rickyc091]

I also believe they were aware of this problem in March of 2019 as I was forced to do a password reset on my affected Slack account from my password manager last updated timestamp.

[mfer]

I think the point was a sales pitch. The post worked well enough to get to the top of the Hacker News front page. I think the effort was rewarded.

[asdkhadsj]

I don't even dislike the pitch, tbh. Rarely do I view these posts as innocent / without-pitch. So seeing the pitch is almost appreciated by me, as at least he's trying not to hide it.

With that said, I wish he'd have gone into more of a pitch - specifically why Keybase might be unable to suffer from this specific problem. Or at least, why the attack surface area is smaller with Keybase, etc etc. He goes into a bit, but not a ton, I could have used more.

[simonebrunozzi]

Most things related to Keybase go to the top of Hacker News. The company has many HNers.

I like their products a lot; I wish they were a bit less self-promoting, as it is in fact the case here.

[save_ferris]

Would shareholders have a case to make for fraud here? Slack clearly didn't want this information getting out pre-IPO, as a security disclosure in this case would certainly impact public confidence in the company.

[jdavis703]

Every tech IPO filing has a generic statement saying something like "our software may contain bugs, including bugs that we cannot fix blah blah blah." So unless Slack has made fraudulent statements about this specific breach, I doubt they've done anything illegal WRT securities fraud.

[gmmeyer]

I'm sure shareholders will sue, because they try to turn everything into a violation of securities law. But securities law shouldn't be the only way to regulate companies imo

[lonelappde]

bloomberg.com/opinion/articles/2019-06-26/everything-everywhere-is-securities-fraud

[mtgx]

This is large companies must notify the authorities within days of such a data breach in the EU now - no room for "guessing" whether or not the companies should be sued over this type of fraud.

[chrissnell]

This is the "lite" version of his sales pitch. The real sales pitch was the email that Keybase users just received. It said, basically, that Slack was compromised but if you would have used Keybase instead, you wouldn't have been compromised.

Awkward, indeed.

I cringe when I see companies try to use a competitor's misfortune to their advantage.

[blauekapelle]

It's not using competitors misfortune if they didn't reasonably disclose the breach