At a place I worked at we discovered it in a couple ways. One was a routine scan done by our host provider, looking for malicious files meant to do things like create a web-shell. After they found the malicious files they had logs to determine the time frame of the attack(s).

And in another instance the hacker emailed us asking for ransom.

That's a really good question and one that probably has a different answer for every breach. In this case it's also probably a question that only Slack could answer for you. In regards to the second half of your question, being that they only recently went public about it, I suspect that they most likely did discover it after the fact.

True story:

Log into server. Why is server slow? Run `top`. Hmm, `./exploit` is consuming 99% CPU...

./exploit ...? Seriously??? LOL

Step 1) Discover a hole in your code, Step 2) go back to logs and see if anyone ever used that hole, Step 3) panic.

Logging every API request through every layer into ElasticSearch/Logstash or something similar for starters.

Usually, if the attacker doesn't dump your info or otherwise blatantly advertise themselves, the FBI tells you.

The wording of the article suggests that they released 2-factor auth -after- the breach happened. This is purely speculation, but one possibility is that they wanted to get their ducks in a row (i.e. have some enhanced security options in place) before announcing the breach. Mitigate the PR damage.

logs -- perhaps they hired a security firm to do periodic audits.

I recommend "The Cuckoo's Egg". It's a great book about traking down a hacker and explains one of the ways it was done.