Slack said it took the step of resetting passwords for about 0.5% of its users after a flaw exposed salted password hashes when creating or revoking shared invitation links for workspaces.
“When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members,” the enterprise communication and collaboration platform said in an alert on 4th August.
Hashing refers to a cryptographic technique that transforms any form of data into a fixed-size output (called a hash value or simply hash). Salting is designed to add an extra security layer to the hashing process to make it resistant to brute-force attempts.
The Salesforce-owned company, which reported more than 12 million daily active users in September 2019, didn’t reveal the exact hashing algorithm used to safeguard the passwords.
The bug is said to have impacted all users who created or revoked shared invitation links between 17 April 2017 and 17 July 2022, when it was alerted to the issue by an unnamed independent security researcher.
It’s worth pointing out that the hashed passwords were not visible to any Slack clients, meaning access to the information necessitated active monitoring of the encrypted network traffic originating from Slack’s servers.
“We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue,” Slack noted in the advisory. “However, for the sake of caution, we have reset affected users’ Slack passwords.”
Additionally, the company is using the incident to advise its users to turn on two-factor authentication as a means to protect against account takeover attempts and create unique passwords for online services.