Slack reset the passwords of about half a percent of its userbase. The company attempts to mitigate a bug that provided hashed passwords to fellow workspace participants.
According to Slack, the bug was discovered by a researcher late last week and had a major impact on passwords. The vulnerability caused hashed user passwords to be sent to other participants within a user’s workspace. The password was provided whenever an end user created or revoked shared invitational links for workspaces.
Hashing is a cryptographic technique for securely storing data. Hashed data typically cannot be viewed. In the case of a hashed password, others should not be able to extract and abuse the password.
Half a percent of all users
The vulnerability affected all end users that created or revoked workspace invitation links between 17 April 2017 and 17 July 2022. In total, the bug involved half a percent of Slack’s userbase.
According to Slack, the hashed passwords were invisible to users. A user would have to actively monitor the encrypted network traffic of Slack’s servers to view the passwords. Slack said there’s no evidence of cybercriminals abusing the bug to obtain plaintext passwords.
Despite this, Slack forced a password reset on all affected users. They recently received a prompt to change their password. A new password must be set before logging in. Slack also recommends configuring two-factor authentication.