- Slack reset the passwords of 0.5% of its users as a precaution after being alerted to a bug that transmitted hashed versions of user passwords to other workspace members.
- The bug affected all users that created or revoked a shared invite link between April 17, 2017, and July 17, 2022.
- The company fixed the bug immediately and sent an alert email to its affected users, urging them to change their passwords as soon as possible.
The messaging program Slack delivered an email about a bug that affected roughly 0.5% of its users. The bug was transmitting a hashed version of the users’ passwords to other workspace members. The vulnerability had been active between 17 April 2017 and 17 July 2022, for five years.
The flaw existed for five years
Slack is an excellent communication and collaboration tool. It has transformed business communication and is used by millions to align their teams and unify their systems. In a blog post, the company disclosed a bug discovered on 17 July 2022. The messaging app had taken action and resolved the issue almost on the same day.
According to Slack, the bug had affected approximately 0.5% of Slack users starting in 2017 for five years. The flaw existed in the Slack invite link feature. Each time a user created or revoked an invite link, other members in the Slack workspace would receive the hashed password of the user who created the invite link. Luckily, this hashed password was not visible to any Slack clients. It would only be visible to anyone actively intercepting the network traffic.
Slack says that it does not think that anyone was able to get plaintext passwords because of this issue. They reset the user’s passwords for the only sake of caution.
« We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue. However, for the sake of caution, we have reset the affected users’ Slack passwords. They will need to set a new Slack password before they can log in again. »
The bug was discovered by an independent security researcher and disclosed to Slack on July 17. Upon fixing it, Slack sent an email to affected users and required them to reset their passwords The users can visit the Slack help center for further information on password resets at any time.