Slack has notified roughly 0.5% of its users that it reset their passwords after fixing a bug that exposed salted password hashes when creating or revoking shared invitation links for workspaces.
Reported by BleepingComputer, Slack said “when a user performed either of these actions, Slack transmitted a hashed version of their password (not plaintext) to other workspace members.”
“Although this data was shared via the new or deactivated invitation link, the Slack client did not store or display this data to members of that workspace.”
An independent security researcher disclosed the bug to Slack on 17th July. The issue affected all users who created or revoked shared invitations between April 17th 2017 and July 17th 2022.
The hashed passwords were not visible to Slack clients though, as active monitoring of encrypted network traffic from Slack’s servers is required to access this exposed information.
The company added that it has no reason to consider that the bug was used to gain access to plaintext passwords before being fixed. T
On Thursday, Slack said: “We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue,” the company stated on Thursday.
“However, for the sake of caution, we have reset affected users’ Slack passwords. They will need to set a new Slack password before they can log in again.”
Slack has added in security notices sent to affected users that hashed could still be reversed via brute force.
The company warned: “Hashed passwords are secure, but not perfect — they are still subject to being reversed via brute force — which is why we’ve chosen to reset the passwords of everyone affected.”
Slack has more than 169,000 paying customers from over 150 countries.