Slack Releases Fix for Critical Bug That Exposed Hashed Passwords for Years
Slack has confirmed that a security vulnerability accidentally exposed the hashed passwords of around 0.5 percent of its customers. The company patched the bug last month and notified impacted users that it had reset their passwords.
The vulnerability was first discovered by a security researcher and it was reported to Slack on July 17, 2022. The flaw was present in the shared invite link feature that allows users to join a specific workspace. It revealed the passwords of all users who created or revoked shared invitation links during the past five years.
Slack has confirmed that the encrypted passwords were not visible to other members of the workspace within the client. However, these passwords could be stolen by hackers actively monitoring the encrypted traffic data from Slack’s servers.
“Upon receiving the report from the security researcher, we immediately fixed the underlying bug and then began investigating the potential impact of this issue on our customers. We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue. However, for the sake of caution, we have reset affected users’ Slack passwords,” Slack explained in its security advisory.
Slack recommends customers to enable two-factor authentication
Hashing is a cryptographic technique that is used to store sensitive data securely. Slack claims that these encrypted passwords can’t be used for authentication purposes and it’s practically impossible to extract them. However, the company mentioned in the security advisory sent to affected customers that hackers could use brute-force methods to harvest these passwords.
Slack has advised customers to enable two-factor authentication and enforce password hygiene in their organization. This means that users should create strong passwords and set unique passwords for each service. Meanwhile, users can also view the personal access logs on this page to ensure that their account has not been compromised.
More in Security
Petri Dish: Cybersecurity vs IT Security with Devolutions
Sep 28, 2022 | Russell Smith
Stop MFA Fatigue with Additional Context and Number Matching for Microsoft Authenticator
Sep 22, 2022 | Rabia Noureen
Researchers Warn About New Shikitega Malware Targeting Linux Endpoints and IoT Devices
Sep 12, 2022 | Rabia Noureen
LastPass Confirms Internal Source Code Compromised in Security Breach
Aug 26, 2022 | Rabia Noureen
Avast Gets New Ransomware Shield to Protect Small Businesses
Aug 24, 2022 | Rabia Noureen
Mandiant Warns Hackers Now Use New Trick to Bypass MFA
Aug 22, 2022 | Rabia Noureen
Most popular on petri