Security breaches at startup technologies are starting to become the new normal.
On Friday,
Slack, the communications startup, said it had been breached by hackers. That made it the second young company to step forward this week - following
Twitch, the hugely popular video streaming service - and
disclose it was hacked.
The breaches at the two companies were not as severe as recent
attacks at major retailers like Home Depot, or at
banks like JPMorgan Chase, but they underscore how young companies are just as much of a target.
Breaches are becoming a kind of rite of passage for fledgling tech companies. If they gain enough momentum with users, chances are they will also become a target for hackers looking to steal, and monetize, the vast personal information they store on users, like email addresses and passwords. Such data can fetch as much or in some cases more on the black market than a credit card number.
"When a company reaches a certain size or notoriety, it's going to get hacked," said Tripp Jones, a general partner at venture capital firm August Capital. "Unfortunately, until someone comes up with a better way, the battle has shifted to identification, containment and damage mitigation."
"It's a big, big problem," Jones added.
The breaches at Slack and Twitch followed attacks last year at
Tinder, the popular dating app, and
Kickstarter, the crowdfunding site, which were both breached as they gained momentum with users.
Both Slack and Twitch have the user base - and the financial resources - to beef up their security. Once Slack had surpassed 200 million messages a month, it attracted $180 million in venture funding. Once Twitch surpassed 55 million users,
Amazon scooped it up for nearly $1 billion.
Both companies said they had put measures in place to keep hackers from easily exploiting their users' information.
At Slack, the company said hackers were able to access a database containing usernames, email addresses, phone numbers,
Skype IDs and passwords. The company noted that those passwords were encrypted using a process known as hashing and salting, which makes it much harder, though not impossible, for hackers to crack them. Last month, Slack had half a million daily users.
Twitch also said it encrypted passwords, but warned that hackers might have been able to capture passwords in the clear as users were logging on.
The breaches have prompted both companies to re-evaluate their security. Slack said Friday that it was adding a security measure called two-factor authentication, which requires a second, one-time password when users log in from an unrecognized device.
Twitch had a different experience. After resetting users passwords, Twitch initially introduced longer password character requirements, but had to dial back its new 20-character password length requirement to 8 characters after users complained.
"All security folks know that passwords are a necessary evil," said Jonathan Sander, a strategy and research officer at STEALTHbits Technologies, a cybersecurity company. "If you were looking for a poster child for why we need a better way, then Twitch will likely be your choice."
© 2015, The New York Times News Service