Slack Releases Fix for Critical Bug That Exposed Hashed Passwords for Years


Slack has confirmed that a security vulnerability accidentally exposed the hashed passwords of around 0.5 percent of its customers. The company patched the bug last month and notified impacted users that it had reset their passwords.

The vulnerability was first discovered by a security researcher and it was reported to Slack on July 17, 2022. The flaw was present in the shared invite link feature that allows users to join a specific workspace. It revealed the passwords of all users who created or revoked shared invitation links during the past five years.

Slack has confirmed that the encrypted passwords were not visible to other members of the workspace within the client. However, these passwords could be stolen by hackers actively monitoring the encrypted traffic data from Slack’s servers.

“Upon receiving the report from the security researcher, we immediately fixed the underlying bug and then began investigating the potential impact of this issue on our customers. We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue. However, for the sake of caution, we have reset affected users’ Slack passwords,” Slack explained in its security advisory.

Slack recommends customers to enable two-factor authentication

Hashing is a cryptographic technique that is used to store sensitive data securely. Slack claims that these encrypted passwords can’t be used for authentication purposes and it’s practically impossible to extract them. However, the company mentioned in the security advisory sent to affected customers that hackers could use brute-force methods to harvest these passwords.

Slack has advised customers to enable two-factor authentication and enforce password hygiene in their organization. This means that users should create strong passwords and set unique passwords for each service. Meanwhile, users can also view the personal access logs on this page to ensure that their account has not been compromised.