Following the disclosure of hashes in invitation links, Slack changes passwords

After correcting a flaw that exposed salted password hashes while creating or revoking shared invitation links for workspaces, Slack sent notifications to about 0.5 percent of its users that their passwords had been changed.

“When a user performed either of these actions, Slack transmitted a hashed version of their password (not plaintext) to other workspace members,” Slack told BleepingComputer.

“Although this data was shared via the new or deactivated invitation link, the Slack client did not store or display this data to members of that workspace.”

Following the disclosure of hashes in invitation links, Slack changes passwords

An independent security researcher identified the flaw and informed Slack of it on July 17. All users who made or removed shared invitation links between April 17, 2017, and July 17, 2022, were affected by the problem.

Fortunately, the hashed passwords were hidden from Slack clients, and Slack’s servers had to actively monitor encrypted network traffic to obtain the exposed data.

Plaintext passwords weren’t disclosed

Additionally, Slack stated that it had no reason to believe that the problem had been used to get plain passwords before it being fixed.

“We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue,” the company stated on Thursday.

“However, for the sake of caution, we have reset affected users’ Slack passwords. They will need to set a new Slack password before they can log in again.”

It’s also essential to remember that, even though hashes cannot be utilized for authentication and that it is not conceivable to attempt to reverse them, Slack included a warning that hashes may still be reversed using brute force in security notifications sent to affected users.

“Hashed passwords are secure, but not perfect — they are still subject to being reversed via brute force — which is why we’ve chosen to reset the passwords of everyone affected,” Slack warned.

Before this piece was published, a source contacted Slack to inquire further about the hashing algorithm used to produce the password hashes, but they did not hear back.

You can check the personal access logs here to make sure your account wasn’t compromised. Additionally, Slack recommends that users set up two-factor authentication and generate their passwords that are not shared with any other digital services.

Slack claims to have more than 169,000 consumers from more than 150 different countries, including 65 Fortune 100 firms.