In the subsequent days and weeks, I reset all of my passwords, threw away all my computers, bought new computers, factory-reset my phone, rotated all of my Keybase devices (i.e., rotated my "keys"), and reestablished everything from the ground up. It cost Keybase and me a lot of time, money and stress. In the end, I was pretty sure but not 100% convinced that if I had been "rooted", that the attackers couldn't follow me to my new setup. But with these things, you can never know for sure. It's a really scary thing to go through. [...]
Also, Slack's announcement seems to say 1% of accounts were still compromised (after 4 years), but we are wondering: how many were compromised then? And what percentage of messages did the compromised accounts have access to? 10%? 50%? Only the hackers know, but it's likely much more than 1%.
And finally, we know the original compromise was in 2015, but I was only notified of a suspicious login in 2019. Were our Dutch friends sifting through our messages for four years before Slack notified us of a suspicious login? [...]
Keybase messages are end-to-end encrypted, and only our users control their decryption keys. A break-in our of our servers, even one injecting code, cannot yield unencrypted messages or jeopardize message integrity.
Now, grain of salt and all, being from a competitor, but I'm with Keybase on this one. I can't see any good reason to choose Slack over Keybase unless you are making the decision that you want the slider between "convenience" and "security" to be wayyyyyy over to the left.
I've been lightly using Keybase for a little while now. Setup is definitely complex, but once its running, it's good at what it does -- which is to say, IRC channels with end to end crypto, but also mission-critical EMOJI.