Slack Resets Passwords After Exposing Hashes in Invitation Links
Slack notified roughly 0.5% of its users that it reset their passwords after fixing a bug exposing salted password hashes when creating or revoking shared invitation links for workspaces.
“When a user performed either of these actions, Slack transmitted a hashed version of their password (not plaintext) to other workspace members,” Slack told BleepingComputer.
“Although this data was shared via the new or deactivated invitation link, the Slack client did not store or display this data to members of that workspace.”
The bug was discovered by an independent security researcher who disclosed it to Slack on July 17. The issue affected all users who created or revoked shared invitation links between April 17, 2017, and July 17, 2022.
Luckily, the hashed passwords were not visible to Slack clients, with active monitoring of encrypted network traffic from Slack’s servers required to access this exposed information, according to Slack.
No plaintext passwords exposed
Slack also added that it has no reason to consider that the bug was used to gain access to plaintext passwords before getting fixed.
“We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue,” the company stated on Thursday.
“However, for the sake of caution, we have reset affected users’ Slack passwords. They will need to set a new Slack password before they can log in again.”
It’s also important to mention that, although hashes cannot be used for authentication and it’s unfeasible to try to reverse them (for some hashing algorithms), Slack added in security notices sent to affected users that hashes could still be reversed via brute force.
“Hashed passwords are secure, but not perfect — they are still subject to being reversed via brute force — which is why we’ve chosen to reset the passwords of everyone affected,” Slack warned.
BleepingComputer reached out to Slack for more info on the hashing algorithm used to generate the password hashes but did not receive a reply before this article was published.
To ensure that your account was not compromised, you can access personal access logs here. Slack also advises all users to enable two-factor authentication and create unique passwords not used with other online services.
Slack says it has more than 169,000 paying customers from over 150 countries, with 65 Fortune 100 companies using its services.