Slack resets passwords after bug exposed hashed passwords for some users


Slack said it took the step of resetting passwords for about 0.5% of its users after a bug exposed salted password hashes when creating or revoking shared invite links for workspaces.

“When a user performed one of these actions, Slack sent a hashed version of its password to other members of the workspace,” according to the company’s communications and collaboration platform. said in a warning on Aug. 4.

Hashing refers to a cryptographic technique that converts any kind of data into a fixed size output (called a hash value or simply hash). salts is designed to add an extra layer of security to the hashing process to make it resistant to brute-force attempts.

The company owned by Salesforce, which has more than 12 million daily active users in September 2019, has not revealed the exact one hash algorithm used to protect the passwords.

The bug is said to have affected all users who created or revoked shared invite links between April 17, 2017 and July 17, 2022, when the issue was pointed out by an unnamed independent security researcher.

It’s worth pointing out that the hashed passwords were not visible to Slack clients, meaning that access to the information necessitated active monitoring of the encrypted network traffic from Slack’s servers.

“We have no reason to believe that anyone was able to obtain readable passwords because of this issue,” Slack noted in the advisory. “However, as a precaution, we have reset the Slack passwords of the affected users.”

In addition, the company is using the incident to advise its users to enable two-factor authentication as a means of protecting against account takeover attempts and creating unique passwords for online services.