On Friday at 11:39am (PST), Slack sent out a notification to users, letting them know that a “security incident” had taken place “during a period of approximately four days in February.”
During the security breach, information kept in Slack’s database, which includes user names, email addresses, “and one-way encrypted (hashed) passwords”, not to mention “information that users may have optionally added to their profiles such as phone number and Skype ID” were accessible to the hackers.
Since the breach was discovered, presumably back in February, Slack has been “working 24 hours a day” with “outside experts to cross-check assumptions” as well as notifying law enforcement. Slack also immediately implemented two-factor authentication, a feature they were planning on rolling out in future, but which presumably they were still working on, as well as a “password kill-switch”.
While Slack’s actions are encouraging, the lag time in making the announcement, not to mention timing it to go out Friday afternoon EST, looks a lot like damage control.
Obviously, getting hacked is not a problem unique to Slack. Announcements regarding corporate hacking made public during the past week include British Airways, Github, and Uber, who all suffered major attacks, with Uber username and password data being sold on the “dark web” for as little as $1.
Sean Merat, CEO of Vancouver-based Witkit, a direct competitor of Slack’s in that Witkit is also a workplace collaboration tool with a heavy emphasis on security, criticized Slack’s security protocols in the wake of the breach announcement.
“Server-side encryption is not enough,” said Merat in an email to Cantech Letter. “The problem is that when Slack’s servers are breached, all of their user data may be jeopardized. Any platform is only as reliable as its security, and especially when you’re dealing with businesses, security is even more paramount. It should be their #1 priority. Unfortunately, in my opinion their efforts are not enough. By providing an end-to-end encryption security model, they would not be putting their users’ data at risk. With an e2e model, user data is encrypted on their devices, before it is sent and stored on servers. This makes it infinitely more unlikely for intruders to be able to access user data.”
Reached for comment by Cantech Letter, Stewart Butterfield responded, “Slack is the same as every widespread email system, your medical records, all the information that government stores about you, all your banking and financial information, everything in Facebook, Twitter, etc. There are practical tradeoffs (e.g., the ability to search remote data) that people make which trade off against perfect security.”
While the idea that security vs. convenience is a “trade off” that most people are willing to make is certainly widespread, not everyone is happy with the status quo.
In a recent interview, Privacy Analytics CEO Khaled El Emam told us, “If you’re building a company or a business that’s essentially a data business, you have to do this (data anonymization). I think awareness is increasing, investors are becoming more knowledgeable about this, VCs are becoming more knowledgeable about this and so they will put pressure on the companies or data businesses that they invest in to pay more attention to this.”
“There are practical tradeoffs (e.g., the ability to search remote data) that people make which trade off against perfect security.”- Slack CEO Stewart Butterfield
Part of what makes the rise of Slack so refreshing is Stewart Butterfield’s extreme candor. Tech journalists have gotten used to the endless parade of tech CEOs repeating the exact same talking points, that their app or product is going to “disrupt” some legacy vertical and thereby change the world, all dreaming of joining the $1 billion unicorn club that Butterfield inhabits, while usually sporting a made-up word for a logo on a T-shirt.
In that context, hearing Butterfield’s frequently obscenity-laden evaluations of his company’s meteoric success is like suddenly hearing a great song in an otherwise really boring nightclub.
In November, he told Business Insider, “I feel that what we have right now is just a giant piece of shit. Like, it’s just terrible and we should be humiliated that we offer this to the public.”
And in February, at around the same time as Slack was being hacked, he told Pando Daily in reference to Slack’s absurdly high valuation, “It’s arbitrary as fuck. There’s no logic to what you get valued at.”
Indeed, to prove a point about the absurdity of valuation in the high ether of Silicon Valley economics, Toba Capital’s Patrick Mathieson adopted a satirical voice in a Quora post to talk about the dynamics of a start-up like Slack joining the $1 billion club.
Using the language of an auctioneer, Slack’s valuation was bid higher and higher, goading a fictional group of investors. “Okay you bastard VCs. I need to raise one hundred and sixty million dollars. I’m going to let five of you invest in my company. How many of you will invest at a $2 billion valuation?”
The “bidding” went to $2.8 billion until “Stewart Butterfield” decided to finesse the numbers to make it seem more realistic. “Damn, too far the other way. Let’s meet in the middle, plus a little extra for me (muahahaha). $2.76 billion?”
Stewart Butterfield’s verified Quora account enjoyed the exchange sufficiently to upvote it himself.
The next day, several media outlets reported that Slack was on a path to a new $160 million round of fundraising and was now valued at $2.8 billion, adding in rumours that Butterfield was being shouldered aside as CEO in favour of a “more operational” leader.
“The problem is that when Slack’s servers are breached, all of their user data may be jeopardized. By providing an end-to-end encryption security model, they would not be putting their users’ data at risk.” – Witkit CEO Sean Merat
Even so, Slack’s valuation, even if it does sit at over $1 billion is, to phrase it gently, ambitious, given that it takes in less than $12 million in annual recurring revenue (it is reported to be adding $1-million in annual recurring revenue every 11 days).
Despite Slack’s security troubles and doubts over its valuation, it’s obvious that Butterfield’s ability to tap this particular Zeitgeist is hardly as accidental or “arbitrary” as he implies.
In a company memo sent out two weeks before Slack’s launch, he compares the team’s approach to a fictional prehistoric company “selling horseback riding… about 4,000 years ago.”
Recognizing that workplace communication is at the beginning of a great transition, Butterfield continues, “It is almost inevitable that centralized internal communication systems will gradually replace email for most organizations over the next 10-20 years and we should do what we can to accelerate the trend and ‘own it’.”
And own it Slack has.
With customers like the New York Times, Spotify and Airbnb as customers, and Slack’s expansion demanding that they even hire a marketing team, which Butterfield resisted for as long as he could, it’s obvious that security is going to have to move to the front burner in order to retain companies who’ve got very real concerns around data security.