Slack resets passwords for about 0.5% of its users due to the exposure of salted password hashes

Pierluigi Paganini August 06, 2022

Slack is resetting passwords for approximately 0.5% of its users after a bug exposed salted password hashes when users created or revoked a shared invitation link for their workspace

Slack announced that it is resetting passwords for about 0.5% of its users after a bug exposed salted password hashes when creating or revoking shared invitation links for workspaces.

This issue was reported by an independent security researcher and disclosed to Slack on 17 July 2022. The company states that the bug affected all users who created or revoked shared invitation links between 17 April 2017 and 17 July 2022.

“When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members. This hashed password was not visible to any Slack clients; discovering it required actively monitoring encrypted network traffic coming from Slack’s servers.” reads the advisory published by Slack.

Slack Enterprise Key Management

Upon receiving the report from the security researcher, the company immediately addressed the flaw and investigated its potential impact on users. Slack pointed out that it doesn’t believe that anyone has obtained plaintext passwords exploiting this issue.

The company also added that it is practically infeasible to derive a password from the associated hash, and exposed hashes cannot be used to authenticate. 

“All active accounts requiring a password reset are being notified directly with instructions. For information on password resets at any time, please visit our Help Centre: https://get.slack.help/hc/en-us/articles/201909068” concludes the advisory. “We recommend that all users use two-factor authentication, ensure that their computer software and antivirus software are up to date, create new, unique passwords for every service that they use and use a password manager.”

The bug is said to have impacted all users who created or revoked shared invitation links between 17 April 2017 and 17 July 2022, when it was alerted to the issue by an unnamed independent security researcher.

It’s worth pointing out that the hashed passwords were not visible to any Slack clients, meaning access to the information necessitated active monitoring of the encrypted network traffic originating from Slack’s servers.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Slack)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment