Slack flaw exposed users' hashed passwords

Slack flaw exposed users’ hashed passwords

Slack, the workplace communication platform, has notified some of its users that their hashed passwords have been subject to exposure for the last five years. The company wasn’t specific in its notice, but Wired said that the flaw was in one of its “low-friction features”. The flaw exposed hashed passwords of users when creating or revoking shared invitation links for workspaces.

“When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members,” the company said in a notice. “It affected all users who created or revoked shared invitation links between 17 April 2017 and 17 July 2022.”

Putting a plaintext password through a hashing algorithm changes it to a cryptographically scrambled or obfuscated version of itself, now called a “ciphertext”. It is a unique string of characters with a fixed length. Adding “salt”—essentially random data—when hashing would further protect the password from getting easily extracted by threat actors.

The exposure only occurs behind the scenes, though, as Slack users who were sent these invitations couldn’t see the passwords. However, they weren’t completely inaccessible, although seeing the exposed passwords required actively monitoring encrypted traffic from Slack’s servers.

“We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue. However, for the sake of caution, we have reset affected users’ Slack passwords.”

Slack warned that hashes are “secure, but not perfect.” Hashed passwords could still be revered by brute force methods.

Slack promptly patched the flaw after an independent security researcher reported it to Slack last month. It then notified the approximately 0.5 percent of all its users who may have been affected, 

The company also took this opportunity to advise its users to enable 2FA (two-factor authentication) on their accounts and create strong and unique passwords. It also advised users to check access logs, which they can find here, for their accounts.